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Abstract 

The  class  of  unquantified  formulae  of  set  theory  involving  Boolean  op- 
erators, the  powerset  and  singleton  operators,  and  the  equality  and  mem- 
bership predicates  is  shown  to  have  a  solvable  satisfiability  problem. 

It  is  also  shown  that  whenever  a  formula  (f)  in  the  above  class  is  satis- 
fiable  there  exists  a  hereditarily  finite  model  of  0,  whose  rank  is  bounded 
by  a  doubly  exponential  expression  in  the  number  of  variables  occurring 
in  <p. 

1      INTRODUCTION 

Computer  verified  proofs,  even  of  very  elementary  mathematical  theorems,  still 
require  entry  of  an  excessive  mass  of  tedious  detail.  The  same  remark  applies  to 
the  more  pragmatic  task  of  program  verification.  Any  hope  of  making  program 
verification  practical  will  require  proof  verifiers  powerful  enough  to  accept  a 
proof  expressed  at  a  level  of  detail  that  comes  to  approximate  the  mathematical 
language  used  in  a  graduate  textbook.  Any  such  verifier  will  need  to  incorporate 
decision  procedures  for  elementary  fragments  of  mathematical  theories  which 


handle  fundamental  inference  steps  much  larger  than  those  handled  by  present 
verifiers  (cf.  [Ble3],  [BoM],  [Con],  [KeW],  [LuO],  [Pas],  [Sla],  [Tho],  and  [Wey], 
for  example). 

Many  efforts  have  been  recently  concentrated  on  inference  techniques  for 
\-arious  sublanguages  of  set  theory  (jmd,  to  some  extent,  analysis)  (see  [BrF], 
[BFOS],  [Can],  [CFMS],  [CFO],  [CFOS],  [CFSl],  [CFS2],  [CGO],  [COP],  [Ferl], 
[Fer2],  [FeO],  [FOSl],  [F0S2],  [Omo],  [PaP],  [Schl]). 

In  [FOSl],  the  theory  MLS  (Multi-Level  SiUogistic)  consisting  of  formulae 
built  using  the  boolean  connectives  (conjunction,  disjunction,  implication  ajid 
negation)  from  set-theoretic  atoms  of  the  types 

x  =  y[Jz,x  =  y\z,xey 

has  been  shown  to  have  a  solvable  satisfiability  problem.  The  satisfiability 
problem  for  the  extension  of  MLS  obtained  by  allowing  the  singleton  operator 
to  appear  (MLSS  theory)  was  also  solved  (cf.  [FOSl]).  In  his  doctoral  dis- 
sertation ([Ferl]),  Ferro  showed  that  the  class  of  formulae  MLS  remains  still 
decidable  even  if  at  most  two  occurrences  of  the  powerset  operator  are  allowed; 
see  also  the  earlier  result  of  [Bre].  This  result  was  subsequently  extended  in 
[CFS2]  where  it  is  shown  that  the  class  of  formulae  MLSP  obtained  from  MLS 
bv  allowing  an  unrestricted  ntmiber  of  occurrences  of  the  powerset  also  has  a 
solvable  satisfiability  problem. 

This  paper  describes  a  decision  procedure  for  a  class  of  set  theoretic  for- 
mulae involving  singleton  and  powerset  operators.  Specifically,  it  is  shown 
that  the  family  of  miqucmtified  formulae  of  set  theory  biiilt  up  using  binary 
union  and  intersection,  set  difference,  powerset,  singleton,  the  binary  predi- 
cates set-membership  and  equality,  and  the  propositional  boolean  connectives 
has  a  decidable  satisfiability  problem. 

The  intended  meaning  of  the  language  is  that  in  which  variables  range  over 
(possibly  infinite)  sets  in  the  standard  imiverse  of 'naive'  set  theory,  and  the  var- 
ious standard  set-theoretic  operator  and  predicate  symbols  have  their  standeird 
meanings;  hence  an  interpretation  M  of  a  set  of  sentences  cp  of  our  language 
is  a  fimction  which  maps  every  variable  x  into  a  set  Mx.  If  all  the  sentences 
of  4>  are  true  imder  some  interpretation  of  this  kind,  <f>  is  said  to  be  satisfiable 
and  each  interpretation  which  satisfies  P  is  called  a  model  of  </>.  (Note  that  all 
ouj  considerations  are  easily  formalizable  in  ZFC,  and  in  fact  even  in  weaker 
set-theoretical  systems,  since  the  language  with  which  we  work  includes  only 
a  very  few  constructs.  But  we  wLU  not  belabor  this  technical  point  since  this 
paper  is  concerned  with  computational  rather  than  foundational  questions.) 


The  technique  used  in  our  solution  of  the  aforementioned  satisfiability  prob- 
lem involves  an  interplay  of  syntactic  and  model-theoretic  arguments.  Firstly, 
each  variable  occurring  in  a  normalized  conjunction  4>  is  split  into  disjoint  parts 
(the  places  of  4>),  which  are  essentially  syntactic  counterparts  of  the  Venn  di- 
agram regions  of  a  model  of  4>.  Then  it  is  proved  that  under  the  assumption 
that  4>  is  satisfiable,  <l>  must  admit  a  canonical  model  of  rani  bounded  solely  by 
a  function  of  the  size  of  the  conjunction  4>  whose  satisfiability  is  to  be  tested. 
This  is  achieved  by  exhibiting  a  nondeterministic  standardization  algorithm 
consisting  of  an  tnitialtzahon  phase  and  a  stabilization  loop.  During  the  initial- 
ization phase  places  are  provisionally  assigned  empty  models.  The  subsequent 
stabilization  phase  enlarges  the  sets  corresponding  to  places  in  such  a  way  as 
to  ensure  that  all  clauses  in  4>  are  correctly  modeled.  To  prove  that  such  com- 
pletion can  be  carried  out  in  an  a  priori  bounded  number  of  steps  whenever  4> 
is  satisfiable,  an  assumed  model  M  of  4>  is  used  as  an  oracle  within  a  nondeter- 
ministic standardization  algorithm  which  associates  final  models  with  all  places 

of<^. 

As  a  corollary  of  this  construction,  it  follows  that  a  conjunction  4>  is  sat- 
isfiable if  and  only  if  it  has  a  hereditarily  finite  model  of  rank  bounded  by  a 
doubly  exponential  expression  in  the  number  of  variables  occurring  in  (p. 

2     PRELIMINARIES 

We  denote  by  MLSSP  the  propositional  closure  of  atoms  of  the  types 

a:  =  yUz,    x  =  y\z,    x  e  y,    x  =  {y},    x  =  pow{y). 

By  using  disjunctive  normal  form  and  by  eliminating  inequalities  through  the 
axiom  of  extensionality,  the  satisfiability  problem  for  MLSSP  can  be  reduced 
to  the  satisfiability  problem  for  the  subtheory  MLSSP'  consisting  of  the  con- 
junctions of  hterals  of  the  following  types, 

x  =  yUz,    x  =  y\z,    x  e  y,    x  ^  y,    x  =  {y},    x  =  pow{y). 

For  convenience,  we  will  consider  a  slightly  different  variant  of  the  satisfia- 
bility concept,  as  described  in  the  following  definition. 

DEFINITION  2.1  Let  4>  he  any  formula  of  set  theory.  An  assigniment  A  of 
sets  to  variables  occurring  in  (p  is  said  to  be  an  infective  assignment  on  4>  if 
Ax  ^  Ay  for  all  distinct  variables  x  and  y  in  <f>. 

<i>  is  said  to  be  injectively  satisfiable  if  there  exists  an  infective  assignment  which 
satisfies  <p. 


LEMMA  2.2  The  satisfiability  problem  and  the  injective  satisfiability  problem 
for  MLSSP'  are  equivalent. 

Proof.  It  is  enough  to  observe  that  for  every  conjunction  4>  in  MLSSP',  ^ 
is  injectively  satisfiable  if  and  only  if  at  least  one  of  its  variants,  obtained  by 
suitably  identifying  variables  in  (f),  is  satisfiable.  • 

It  is  also  helpfxil  to  consider  the  subtheory  MLSSP"  of  MLSSP'  consisting 
of  those  conjunctions  4>  which  contain  the  clauses  qo  =  Qo\  90)  Po  =  pow{qo), 
p„  =  pow{qv),  9u  \Pu  =  ?o>  and  x  E  q^  for  aU  variables  x  in  (^  distinct  from  q^ 
and  pvi  where  qo,po,qv  ^od  p„  are  pairwise  distinct  variables,  occurring  in  (f> 
only  within  the  above  clauses.  •" 

Then  we  have: 

LEMMA  2.3  The  injective  satisfiability  problem  for  MLSSP'  is  reducible  to 
the  injective  satisfiability  problem  for  MLSSP". 

Proof.  It  is  enough  to  show  that  every  MLSSP'  conjunction  can  be  effec- 
tively transformed  into  an  equisatisfiable  MLSSP"  conjunction.  So,  let  (^  be  an 
MLSSP'  conjunction.  We  let  t{4>)  denote  the  conjvmction 


</>  A  go  =  ?o  \  9o  Apo  =  pow{qo)  /\Pv  =  pow{q^)  Aqv\Pv  =  go  A 


where  gcPoi  <2v  and  pt;  are  pairwise  distinct  variables  not  occurring  in  </>.  Clearly, 
if  t{4>)  is  satisfiable,  so  is  <p.  Conversely,  assume  (f>  is  satisfiable  eind  let  M  be 
one  of  its  models.  Put  Afgo  =  0,  Mpo  =  {0}, 

Mqv  =  transitive xlosure{{Mx  :  x  occurs  in  (/>}),    Mp„  =  pow[Mqv), 

where 


transitive, closure{s)  =  |j  t 


At    ••    tran»iti9t 


and  where  a  set  t  is  scdd  to  be  transitive  il  u  C  t  for  all  u  E  t. 

It  is  an  easy  matter  to  show  that  the  assignment  so  extended  models  cor- 
rectly t(<^),  thus  proving  that  </>  and  T{(f>)  aie  equisatisfiable.  • 

Next  we  wiU  introduce  some  concepts  of  fundamental  relevance  in  the  fol- 
lowing sections. 

Suppose  that  a  conjunction  <p  of  MLSSP'  is  given. 


DEFINITION  2.4  A  place  x  of  (/>  t5  a  0/1-valued  function  defined  on  the  set 
of  all  variables  in  (f>  such  that  t(z)  =  5r(y)  V  Tr{z)  (resp.  7r(z)  =  ^^(y)  A  -i7r(z)^ 
if  X  =  y  U  z  (resp.  x  =  y  \  z)  appears  m  <f).  Moreover,  given  a  variable  x,  the 
place  IT  is  said  to  be  a  place  at  x  of  4>)  »/x(y)  =  1  whenever  x  E  y  appears  in 
(f>  and  x(y)  =  0  whenever  x  ^  y  appears  in  <p. 

In  the  next  section  we  will  see  that  any  model  of  <l>  defines  naturally  a  set 
of  places  for  4>  and  places  to  variables  which  go  a  long  way  towjird  describing 
the  structure  of  the  model  itself. 

The  following  definition  introduces  a  concept  of  central  importance  to  oui 
purposes. 

DEFINITION  2.5   Let  s  be  a  set.   Then  we  put 

pow*{s)  =  {f.tC  Un{s)  A  (Vi'  e  3){t  Ds'  j^  0)} 

(where  by  Un  we  denote  the  unary  union  defined  by  Un[s)  —  {u  :  u  6 
r,  for  some  r  £  s};  cf.  [Jec]). 

Some  immediate  properties  of  the  operator  pow'  are  listed  below. 

LEMMA  2.6      (a)  pow'{<J^)  =  {0}. 

(b)  Let  Si   and  $2  be  two  sets  such  that  si  U  52  is  a  collection  of  pairvnse 
disjoint  sets.  If  pow*  [s])  =  pow*[s2),  then  Si  =  S2- 

(c)  Let  {si  :  i  E  1}  and  {ti  :  i  E  1}  be  collections  of  sets  such  that  pow*[{si  : 
i  e  I})  C  pow'{{ti  :  i  G  /}). 

(d)  For  each  set  s, 

pow{Un{s))  =  Un{pow*{t)  :  t  G  pow{s}} 

Proof,  (a)  is  an  immediate  consequence  of  the  definition  of  pow*. 

Concerning  (b),  it  suffices  to  observe  that  if  pow*{si)  =  pow*{s2)  then 
Un{si)  =  Un{s2).  The  latter  equahty  combined  with  the  disjointness  hypoth- 
esis implies  Si  =  52. 

Concerning  (c),  let  {s^  :  i  £  1}  and  {f,  :  t  G  /}  be  such  that  5;  C  ti 
for  all  i  G  /.  Plainly,  Un{{si  :  t  G  /})  C  Un{{ti  :  i  G  /}).  Moreover,  if 
u  n  5j  /  0  for  all  t  G  /,  then  a  fortiori  u  n  ({  ^  0,  for  aU  i  G  /.  Hence 
pow*{{si  :  i  G  /})  C  pow*{{ti  :  i  G  /}). 

Finally,  as  regards  (d),  let  u  G  pow{Un{s)),  and  let  <„  =  {t  G  5  :  <  D 
u  ^  0}.    Plainly  u  G  pow*{tu)  and  <„  G  pow{s),  which  prove  pow{Un{s))  C 


Un{pow'{t)  :  t  e  pow{s)}.  Also,  as  pow*{t)  C  pow{Un{t))  C  pow{Un{s)),  for 
all  (  G  pow{s),  the  converse  inclusion  follows  at  once,  thereby  proving  (d),  and 
in  turn  concluding  the  proof  of  the  lemma.  • 

Remark.  Throughout  this  paper,  for  any  given  mapping  /  :  X  — »  y,  we 
denote  by  /  the  mapping  from  pow{X)  into  pow{Y)  defined  by 

7{A)  =  f[A],  for  all  A  e  pow{X). 

The  following  properties  hold. 

LEMMA  2.7  Let  f  be  a  1-1  it  function.   Then, 

(a)  7  is  1-1. 

(b)  If  s  C  povj{dom{f)),  then 
(b.l)  pow'{s)  C  dom{f),  and 
(b.2)  7[pow^{s)]  =  pow'{J[s]). 

Proof.   Concerning  (a),  let  Si  and  52  be  two  distinct  subsets  of  dom{f),  and 

let  ti  e   (51  \  52)  U  (52  \  51  ).    Then  /(u)  G   /[(5i  \  £2)  U  (52  \  5i  )]  =   (/[51]  \  /[52])  U 

ifi^i]  \  /[^i])>  which  implies  /[51]  7^  /[52],  i.e.  /  is  injective. 

As  regards  (b),  let  5  C  pow{dom{f)).  Then  for  each  t  £  pow*{s),  t  C 
Un{s)  C  dom{f),  i.e.  t  £  dom{f).  Therefore  pow*{s)  C  doTn{f),  which  proves 
(b.l).  To  provejb.2),  let  t  £  pow*{s).  As  t  C  Un{s),  we  have  J{t)  =  f[t]  C 
f[Un{s)]  =  Un{f[s]).  Moreover,  t  D  s'  j^  9  for  each  s'  €  s.  Hence  7(0  n  u  7^  0, 
for  all  u  6  f[s]-  Thus  f{t)  G  pow*{f[3]),  which  proves  f{pow*{s)]  C  pow*{f[s]). 
Conversely,  let  w  G  pow'(f[s]).  Then  w  6  Un{f[s])  C  f[Un{s)].  Put  u  = 
f~^[w].  Plainly  u  C  Un{s).  Moreover,  for  all  5'  G  5,  ti)  D  fls"]  =  wH  f{s')  ^  0, 
so  that  u  n  5'  =  f~'^[w]  n  f~'^f[s']  =  f-'^[w  n  /[5']]  ^  0.  Hence  u  G  pow*{a), 
amd  since  w  =  ff~^[w]  =  f[u]  =  f{u),  we  obtain  w  G  f[pow*{s)]  which  in  turn 
implies  pow*{f[s])  C  f\pow*{s)].  This  concludes  the  proof  of  (b.2),  so  that  the 
lemma  is  completely  proved.  • 

We  close  this  section  by  defining  the  von  Neumann  hierarchy  of  sets  and 
by  introducing  the  notion  of  rank  of  a  set.  Specifically,  for  all  ordinals  a,  put 
inductively 

Vo     =     0 

Va+l       =      pOw{Vc,) 

Va     =      IJ  V;3,  if  a  is  a  limit  ordinal. 

/3<a 


Finally,  the  von  Neumann  universe  of  sets  is 

v=   U  v.. 

aeOrd 

It  follows  from  the  axiom  of  regiilarity  that  every  set  belongs  to  some  set 
Vq  (see  for  example  [Jec]).  Therefore  for  every  set  a  we  may  define  the  rank  of 
5  by  putting 

rank{s)  =  least  a  such  that  s  E  Vq+i. 

Some  of  the  most  useful  properties  of  the  rank  fimction  are: 

(i)  for  every  ordinal  number  a,  rank{a)  =  a; 

(ii)  rank{{so,Si,...,Sn})  =  max,g{o,i,..,n} '•anA;(5i)  +  1; 

(iii)  rank{s)  =  Ur€»(''<^"^('')  +  1)  =  sup,£,(ranfc(r)  +  1); 

(iv)  if  r  G  5,  then  rank{r)  <  rank{s); 

(v)  rank{s  U  t)  =  Taax{rank{s),  rank{t)}; 

(vi)  rank{\J,^j  s,)  =  [Ji^j  rank{si); 

(vii)  Va  =  {■«  :  rank{s)  <  a}. 

The  members  of  V^,,  i.e.  the  sets  having  finite  rank,  are  called  hereditarily 
finite  sets. 

3     THE  MAIN  RESULT 

In  the  preceding  section  we  have  shown  that  the  satisfiability  problem  for  the 
class  of  formulae  MLSSP  can  be  reduced  to  the  injective  satisfiability  pTohlem. 
for  the  narrower  class  MLSSP".  This  section  solves  this  latter  problem. 

The  following  theorem  gives  decidable  conditions  for  a  conjunction  ^  in 
MLSSP"  to  be  injectively  satisfiable. 

THEOREM  3.1  Let  <f>  it  be  a  conjunction  of  literals  each  of  which  it  has  one 
of  the  following  types, 

(  =  )         X  =  yl)z,x  =  y\z 

({•})     '  =  {y} 

{pow)     X  =  pow{y). 


Assume  also  that  <p  contains  the  clauses 

9o  =  go  \  9o,    Po  =  pow{qQ),    p^  =  pow{q^),    qv\Pv  =  Qo,^  ^  Qv,        (1) 

for  all  variables  x  in  4>  distinct  from  g„  andp^,  where  qo,po,qv^  and  p^  occur  in 
(j>  only  within  the  clauses  (1).  Also,  let  po  =  pow{qQ),  p\  —  pou;(5i), . .  .,p„_i  = 
pou;(gi,_i),  p„  =  pcm>(gt,)  he  all  powerset  clauses  in  4>,  and  let  \  be  the  collec- 
tion of  distinct  variables  occurring  in  4>.  Then  <f>  is  injectively  satisfiable,  i.e. 
satisfiable  by  a  model  which  maps  distinct  variables  into  distinct  sets,  if  and 
only  if  there  exist 

(i)  a  se<  n  =  {xi, . . . ,  7r„}  of  places  of  (f>; 
(a)  a  mapping  z  h-»  x^  from  V  \  {p„}  into  11; 
(iii)  a  mapping  z  i— >  x  from  11  into  the  von  Neumann  universe  of  sets 

such  that 

(Cl)  no  two  distinct  variables  in  <j>  are  Jl-equivalent  (i.e.  for  every  x,y  in  <f), 
with  z  7^  y,  there  is  a  place  tt  6  11  such  that  7r(z)  /  T^{y)); 

(C2)  for  each  variable  x  in  V  \  {p„}  the  place  tt*  is  at  the  variable  x; 

(C3.a)  7f  /  0,  for  all  places  tt  6  EI; 

(C3.b)  anp  =  9,  for  all  places  a,  /3  €  11,  with  a  7^  /3; 

(CS.c)      [J    7f  G  tP,  for  all  variables  x  in  V  \  {pu}; 

(C3.d)      [J    Q  =  poTi'(U^(,)=i/3),  for  all  powerset  clauses  p  —  pow{q)  in  <f>; 

a(p)=l 

(CS.e)      M    ^  =  {    1)    (3},  for  all  singleton  clauses  z  =  {y}  in  <p; 

a{x)^l  /3(y)=l 

(C4)  it  must  be  possible  to  produce  the  mapping  tt  i->  tt  in  (iii)  by  an  execution 
of  the  following  nondeterministic  association  algorithm,  in  which  Step  2  is 
executed  at  most  {p-2){n-l)2"~^  +  3-2''-'^  -2  times,  where  n  =  \Il\,  and 
p  is  any  natural  number  greater  than  1  and  such  that  2''~^  >  p{n  —  1)  +  1. 

ASSOCIATION  ALGORITHM 

Step  1.   Put 

for  all  places  tt  G  11 . 


Step  2.  Pick  a  set  {ai,. .  .,Qi}  C  IT  and  choose  sets  A^,  with  tt  G  11,  such  that 

(J  A,  Cpow*{{a^,...,ai}). 
iren 

Enlarge  each  set  W  by  putting 

7f  <-  if  U  A^ 

Step  3.  Stop  or  to  go  Step  2. 

Proof.  Sufficiency.  Assume,  first,  that  there  exist  n,z  i->  -k'^-k  i->  t  as  in  (i), 
(ii),  and  (iii)  and  such  that  conditions  (Cl)-(C4)  are  all  satisfied.  Then  we  will 
prove  that  the  assignment  M*  defined  on  the  variables  of  (f)  by 

M*z=     U    7f  (2) 

x(x)=i 

is  injective  and  satisfies  all  the  conjuncts  in  4>. 

Let  x,y  be  Vciriables  occurring  in  ^,  and  assimie  that  M*x  =  M'y.  We  will 
show  that  X  =  y.  Indeed,  since  [j^/^^^-^W  =  U^(y)_i  tt,  conditions  (C3.a)  and 
(C3.b)  imply  that  x  and  y  are  Il-equivalent,  which  by  (Cl)  gives  x  =  y. 

Next  we  prove  that  M*  satisfies  each  conjunct  in  (p.  Let  x  =  y  U  z  (resp. 
X  =  y  \  z)  occur  in  (^.  In  view  of  (??)  and  conditions  (C3.a)  and  (C3.b),  in 
order  to  prove  that  M*x  =  M'y  U  M*z  (resp.  M*x  =  M'y  \  M'z)  it  suffices  to 
show  that  7r(z)  =  7r(y)  V  x(2)  (resp.  Tr{x)  =  7r(t/)  A  -^x{z)),  for  all  x  £  II.  But 
this  foDows  immediately  from  Definition  2.4. 

Having  proved  that  M*  models  correctly  all  literals  in  (^  of  type  (=),  we 
show  that  membership  relations  are  also  satisfied.  Let  the  clause  x  £  y  belong 
to  4>.  By  (C2),  Tr'{y)  =  1.  Hence  (??)  and  (C3.c)  imply  M'x  =  Ux(:t)=i  ^  e 
^  C  Ux(y)=i  ^  =  M'y,  i.e.  M'x  e  M'y. 

On  the  other  hand,  \f  x  ^  y  occurs  in  <^,  then  x'(y)  =  0,  so  that  by  (C3.b) 
we  have  Tt^n  M'y  /  0,  and  therefore  (C3.c)  implies  M'x  ^  M'y. 

Finally,  in  view  of  (??),  conditions  (C3.d)  and  (C3.e)  respectively  imply  that 
powerset  and  singleton  clauses  in  <p  are  satisfied  by  M',  thereby  completing  the 
proof  that  M'  injectively  satisfies  4>. 

Necessity.  Next  assimie  that  there  exists  an  injective  model  M  of  <f>. 

The  following  lemma  lists  some  properties  of  the  model  M  which  are  imme- 
diate consequences  of  clauses  (1). 


LEMMA  3.2      (1)  Mqo  =  9,  Mpo  =  m; 
-  (2)  Mqv  and  Mp^  are  transitive  sets; 

(3)  Mx  C  Mp„,  for  all  x  eV; 

(4)  My  6  Mpv  and  My  C  Mq„,  for  all  y  e  V  \  {;?„}/ 

(5)  Mz  e  Mq„,  for  all  z  e  V  \  {qv,Pv}- 

Next  we  proceed  to  the  construction  of  11,  i  i-»  tt^,  and  tt  i-»  7f  as  from  (i)-(iii). 
Let  (7i,«T2)  •  •  •i<''n  be  the  nonempty  disjoint  parts  of  the  Venn  diagram  of 
the  collection  of  sets  {My  '•  y  &  V  \  {pv}}  in  the  imiverse 

U=l[JMy\[J       \J      {My}  =  Mp„. 
\yev        J      yev\{p,} 

Then  for  every  set  Ci  we  define 

,    ,        f  0     if  a,-  n  My  =  0 
'^'(^)=\   1     ifcr.CMy         ' 

where  y  ranges  over  V,  and  we  put  11  =   {ttj,  . .  .,Tn}.    Furthermore,  given 

a  variable  y  in  F  \  {pv},  we  put  tt^  —  -Ki^,  where  My  £  <7i^,  for  some  iy  £ 

{l,2,...,n}. 

Remark.  For  each  tt  G  H,  we  designate  by  a'  the  region  of  the  Veim  diagram 

relative  to  M  and  <p  which  induces  the  place  x.  • 

It  is  ain  easy  matter  to  verify  that  the  tt's  are  places  of  <p  and  that  for  each 
y  in  F  \  {p„},  the  place  n^  is  at  the  variable  y.  Thus  (i),  (ii),  and  (C2)  hold. 

Next  we  prove  that  (Cl)  holds  too.  Let  x,y  be  two  distinct  variables  occur- 
ring Ln  <f>.  Since  Mx  ^  My,  there  exists  5  G  {Mx  \  My)  U  (My  \  Mx),  so  that 
s  e  U  (where  U  is  the  universe).  Let  ai^  be  the  region  of  the  Veim  diagram 
which  contains  the  set  s.  Whence  Tri^{x)  ^  7rjj(y),  showing  that  x  and  y  are 
not  IT- equivalent. 

To  complete  the  proof  of  the  necessity  of  conditions  (Cl)-(C4)  we  need  to 
exhibit  an  mstcintiation  of  the  Association  Algorithm  which  produces  the  sets 
x  in  at  most 

{p  -  2)(n  -  1)2"-^  +  3  •  2"-^  -  2 

executions  of  Step  2  and  such  that  (C3.a)-(C3.e)  are  satisfied.  This  is  accom- 
plished by  using  the  given  model  M  as  an  'oracle'  which  permits  us  to  'extract' 
a  transformed  canonical  model  of  (f>.  Such  canonical  model  will  have  rank 
bounded  by  a  doubly  exponential  expression  in  the  size  of  V. 
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The  foUowing  lemma  expresses  some  useful  facts  about  the  regions  of  the 
Venn  diagram  relative  to  M  and  </>  and  theii  corresponding  places. 

LEMMA  3.3      (1)  o-"'"   =  {0}  and  ir?"  is  the  unique  place  x  G  H  such  thai 
7r(p)  =  1  for  all  powerset  clauses  p  =  pow{q)  in  </>. 

(2)  ct'"  =  Mpv  \  Mq^.  Eence  7r9'(p„)  =  1  and  ir«'(9„)  =  0. 

(3)  7r(g„)  =  1,  /or  each  t  6  H  \  (tt"-). 

U)  n  =  |n|<2i^i-^  +  i. 

(5)  Ifx  =  {y}  occurs  in  <f>,  then  tt"  is  the  unique  place  t^  e  H  such  that 
7r(x)  =  l. 

Proof.  As  0  =  Mgo  e  a^'"  n  Mpo,  then  <7'«  =  Mpo  =  {0},  which  impHes 
a"'"  =  {0}.  Therefore  cr''°  C  pow{s)  for  all  sets  5  and  in  particular  a"  C  Mp, 
i  e  7r9o(p)  =  1,  for  all  powerset  clauses  p  =  pow{q)  in  <^.  The  uniqueness  of  tt"' 
follows  plainly  since  90  =  9o  \  5o  Apo  =  poz.(go)  occurs  in  4>.  Thus  (1)  is  proved. 
Concerning  (2),  since  Mq.  £  a^"' ,  we  have  a^  '  C  Mp„  \  M5,.  If  cr  C 
Mp^\Mqv  for  some  tt  #  tt'-,  then  there  would  exist  a  variable  y  in  </-  such  that 

a'">  n  Af  y  =  0  and  a*'  C  My, 

where  {xo,7ri}  =  {Tr.Tr"'}.  Hence  from  Lemma  3.2(3)  it  would  follow  y  ^  p, 
which  by  (4)  of  the  same  lemma  would  imply  My  C  Mg„.  This  inclusion  in 
turn  would  give  a''  C  Mg„,  a  contradiction.  Therefore  a""  =  Mp,\Mq,,  and 

(2)  is  proved. 

Next,  to  prove  (3)  we  consider  7r  £  H  \  {tt"-}.  Lemma  3.2(3)  miphes  a    C 

MpA  <t'"  =  M?.,  which  yields  T:{q,)  =  1.  ,     ^      ,  -, ,  ^  oivi-i 

Concerning  (4)  it  suffices  to  note  that  by  (3)  |{7r  €  H  :  x(5„)  =  1)1  <  2'  J     • 
Finally,  to  prove  (5)  we  observe  that  My  G   c^"    C   Mx,  so  that  cr'^  - 
{My}  =  Mr,  showing  that  x"  is  the  unique  place  tt  6  H  such  that  7r(z)  -  1. 
Thus  the  proof  of  the  lermma  is  completed.  • 

Next  we  introduce  the  concepts  of  P-nodes  and  their  P-targets,  which  will 
play  a  central  r61e  in  the  proof  of  the  necessity  of  conditions  (C4)  and  (C3). 

Let  poti;'({<r°>,. .  .,a°'})  n  a^  7^  0,  for  some  regions  a"', . .  .,<t<^',<^''  of  the 
Venn  diagram  relative  to  M  and  4>.  Then  there  exists  s  e  pow*{{(7°\.  ..,ct°'}P 
a^,  and  we  can  write  s  =  \J^,{s  n  a°'),  where  all  the  sets  s  n  <t°-  appearing  m 
the  union  are  nonempty.  For  every  powerset  clause  p  =  pow{q)  in  <f>  such  that 
/3(p)  =  1,  we  have  cr^  C  Mp  and  consequently  s  £  pou;(Mg).  Thus  sf^(T'"  Q  Mq 
and  hence  <t„.  C  Mq  C  Mq,  for  all  i  =  1, . . .,/,  implying  that  aiiq)  =  1  (and 
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ai{qv)  =  1)  for  all  i  =  1,...,^.  In  the  same  way  it  can  be  shown  that  for  a 
given  powerset  clause  p  =  pow{q)  in  4>,  if  a,(g)  =  1,  i  =  1, . .  .,^,  then  I3{p)  -  1. 
These  semantic  considerations  suggest  the  following  definition,  which  is  purely 
syntactic. 

DEFINITION  3.4      (a)  Any  subset  o/II  \  {tt''}  is  called  a  P-node. 

(b)  Let  A  be  a  P-node.  A  place  0  is  called  a  P-target  (or  simply  a  tcirget  j  of 
A  if  for  every  powerset  clause  p  =  pow{q)  in  <f>  we  have 

/3{p)  —  1  if  and  only  if  a{q)  =  1,  for  all  a  £  A, 

Remark.  In  the  following  for  each  P-node  A  we  will  write  T(A)  to  denote  the 
set  of  P-targets  of  A,  so  that  T  maps  the  set  pow{Il  \  {tt^'})  into  pow(Il).     • 

The  discussion  preceding  Definition  3.4  is  now  restated  in  terms  of  the  new 
concepts  just  introduced. 

LEMMA  3.5   Let      paw' {{a°\  . . . ,   a"'})  f)  a'^     7^     0,  it  for  some  places 
ai, . . .,  at,  f3  of(f).  Then  {aj, . .  .,a^}  is  a  F-node  and P  is  a  target  of{ai, . .  .,a/}, 
I.e.  /3eT({Qi,...,a<}). 

The  following  lemma  states  other  useful  facts  about  P-nodes  and  their  tar- 
gets. 

LEMMA  3.6      (a)  T(0)  =  {w'">}; 

(b)  U        T{A)  =  n; 

(c)  <T0  C        U        pou)*{{(T°  :  ae  A}),  for  all  places  P  eU; 

(d)  pow*{{cT°  ■.aeA})C      \J     a^,  for  all  P-nodes  A. 

fieT(A) 

(e)  \T{A)\  <  n  -  1,  for  all  P-nodes  A. 

Proof.  Prom  Definition  3.4(b),  tt  6  T(0)  if  aind  only  if  7r(p)  =  1  for  all  powerset 
clauses  p  =  pow[q)  in  <^.  Therefore  (a)  follows  at  once  from  Lenmia  3.3(1). 

Concerning  (b),  it  is  enough  to  show  that  every  place  /3  €  11  is  target  of  some 
P-node  A.  Let  s  £  a^  and  consider  yl,  =  {tt  £  11  :  ct*  fl  5  7^  0}.  As  5  6  Mp„, 
then  s  C  Mq^,  implying  that  A,  is  a  P-node  and  that  s  6  pow*{{(7''  :  tt  6 
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A,})  n  CT^.  By  Lemma  3.5,  the  latter  membership  implies  P  e  T{A,),  proving 
(b).  Moreover,  it  follows  that 


a^ 


C    U    Cpow*{{a'':TeA.})C        [j       pow*{{a"  :  a  £  A}), 


thus  establishing  (c). 

Concerning  (d),  let  yl  be  a  P-node.  Since  by  definition  >1  C  11  \  {x'*},  use 
of  Lemma  3.3(3)  gives  a{q^)  =  1,  for  all  a  6  A,  i.e.  Ua€A<^''  ^  -^^9-  Hence 
pow'{{cT"  :  a  e  A})  C  pow  {\JaeA(^°)  ^  porv{Mq^)  =  Mq„  =  U?=i  <7..  Let 
CT^'  . . . ,  a^*"  be  all  parts  of  the  Venn  diagram  which  have  nonempty  intersection 
with  pow'{{a'^  -ae  A}).  Hence  pow*{{a''  :  a  £  A})  C  \jl^^  a^> .  Moreover, 
the  preceding  lemma  implies  that  {/3i, . .  .,/3fc}  C  T{A),  proving  (d). 

Finally,  from  (a)  1T(0)|  =  Ktt^"}!  =  K  n  -  1,  because  n  >  3.  On  the  other 
hand,  if  ^  #  0,  then  a(go)  =  0  for  all  q  e  ^,  so  that  /3(po)  =  0  for  all  targets  of 
A.  Since  ;r9»(po)  =  1,  it  follows  T(A)  C  n\{T9°},  thus  showing  |T(>1)1  <  n  -  1 
in  all  cases  and  concluding  the  proof  of  the  lemma.  • 

To  prepare  for  the  required  construction  of  the  map  tt  i->  tt  in  (iii),  we  need 
a  bit  of  additional  terminology. 

As  above,  let  p  be  am  integer  such  that 

p>  2and2''-^  >p(n-l)+l, 
where  n  =  |n|. 

DEFINITION  3.7  A  place  tt  e  11  :s  called  M  -  p-trapped  if  |«r'|  <  p.  A 
P-node  {ai , . . . ,  a  J  is  called  M-p-trapped  i//or  i  =  1, . . . ,  /  each  a,-  is  trapped. 

Remark.  In  what  follows,  M  -  p-trapped  places  and  M  -  p-trapped  P-nodes 
will  be  referred  to  simply  as  trapped  places  and  trapped  P-nodes,  since  the 
model  M  and  the  constant  p  will  not  change  in  the  course  of  our  proof.         • 

DEFINITION  3.8  For  places  a,P  eR  we  write  a  <  /3  if 

rankic'')  <  rank{ar^). 

Remark.  Since  the  relation  <  over  IT  defined  above  is  clearly  acyclic,  it  can  be 
extended  to  a  linear  ordering  in  11,  which  we  will  designate  by  the  same  symbol 
<. 

We  have  the  following  lemma. 
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LEMMA  3.9      (a)  tt'"  =  min  11  and  tt'''  =  max  11. 

(b)  Let  {ai, . .  .,a(}  be  a  nontrapped  P-node.   Then  {ai,...,Q/}  has  at  least 
one  nontrapped  target  /3  such  that  j3  >    max  q,-. 

i  =  l,...,t 

Proof.  Concering  (a),  it  is  enough  to  observe  that  by  Lemma  3.3  rank{(T''^'' )  < 
ranJt(a'),  forallTT  6  Il\{Tr'">},  imd  rankior""  )  >  ranifc(<T'),  for  all  tt  e  n\{7r9'}. 
To  prove  (b),  let  A  =  {ai,...,Q/}  be  a  nontrapped  P-node.    This  means 
that  |<r°-'o  I  >  /J  for  some  jo  £  {1, . .  •,i}.  Hence  it  is  easy  to  see  that 

\{t  epow'{{a''\...,(r°'}):rank{t)  =  ranJb(cT'"  U...Ua°')}|  >  2""^ 

From  this  inequality,  Lemma  3.5  (d)  and  the  pigeon-hole  principle  we  deduce 
that  there  must  exist  a  place  /3  6  T{A)  such  that 

1{(  6pou;'({a°",...,cT°'})  :  rank{t)  =  rank{cT°'  U  . . .  U  cr"')}  n  (7^|  >  p, 

since  by  Lemma  3.6(d)  2"''^  >  p(n'"-  1)  +  1  >  p\T{A)\. 
Hence  |<t''|  >  p,  i.e.  0  is  nontrapped,  and 

rankia"')  <  rank{a°"  U  . . .  U  a"')  <  rank{a^),  for  all :'  =  1, . . .,/, 

i.e.  CLi  <  /3,  for  all  i  =  1, . . . ,  ^.  This  completes  the  proof  of  the  lemma.  • 

Let  =  {ai, . .  .,ai}  be  a  P-node.  Then  since  Un{{a°'  :  a  6  A})  6  pow*{{(7°  : 
a  e  A}),  by  Lemma  3.6(d)  we  have  Un{{a-°  :  a  £  A})  G  a'^,  for  some  place 
T  £  T(A).  The  preceding  discussion  justifies  the  following  definition. 

DEFINITION  3.10  Let  A  be  a  P-node.  The  place  r  6  T{A)  such  that 
Un{{cr°  :  a  6  j4})  6  ct"^  ts  called  the  principal  target  of  A  and  is  denoted 
by  x^. 

The  following  two  lemmas  state  useful  properties  of  principal  targets. 

LEMMA  3.11  Let  A  be  a  P-node  and  let  x  be  a  variable  in  <p  it  such  that 
A  =  {it  E  U  :  Tr{x)  =  1}.  Then  the  principal  target  of  A  is  the  place  r'  at  the 
variable  i. 

Proof.  It  is  enough  to  observe  that  imder  the  hypotheses  of  the  lemma  we 
have  Un{{a°  ■.aeA})  =  Mxe  cr'^' .  • 

LEMMA  3.12  Let  A  be  a  P-node  and  let  tt^  be  its  principal  target.  Then  a  < 
■K^  for  all  a  E  A,  where  <  is  the  ordering  relation  introduced  in  Definition  3.8. 
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Proof.   By  definition  we  have  Un{{a°  :  a  e  A})  £  a"  ,  so  that  rank{a°)  < 
rank{a''*),i.e.  a  Ki^'^JoT  aHae  A.  • 

We  will  prove  Theorem  3.1  by  showing  how  to  use  the  model  M  to  find  an  In- 
stantiated Variant  of  the  Association  Algorithm  (I.V.A.A.).  This  instantiation, 
shown  below,  will  consist  of 

(a)  an  Initialization  Phase,  followed  by 

(b)  a  StabUization  Loop,  which  is  in  ttirn  divided  into 

(bl)  a  Blocking  Phase,  and 
(b2)  a  Propagation  Phase; 

(c)  a  procedure  called  Distribute. 

The  Instantiated  Algorithm  which  we  present  uses  an  arbitrary,  perhaps 
infinite,  model  of  4>  to  build  a  canonical  model  of  4>.  This  is  done  in  the  following 
way: 
(I)  For  each  place  tt  £  11,  the  set  W  is  initiaHzed  to  the  nullset. 

(II)  The  sets  jf  are  then  enlarged  progressively  (always  be  calls  to  the  Dis- 
tribute subprocedure).  As  enlargement  proceeds,  an  auxiliary  1-1  map 
/  is  maintained.  The  domain  of  /  is  always  a  subset  of  Ux6n'*'>  ^^  / 
always  maps  tF  into  a'';  moreover  /  is  defined  on  all  of  x  as  long  as  \W\  re- 
mains less  than  the  critical  size  p.  We  always  have  i^l  <  p  if  tt  is  trapped, 
so  that  when  tt  is  trapped  /  will  result  to  be  an  'isomorphism'  from  x  into 
a".  Moreover,  the  sets  7f  remain  mutually  disjoint  as  they  are  enlarged. 

(m)  As  the  computation  proceeds,  places  n  successively  become  'blocked';  once 
a  place  ir  becomes  blocked,  the  set  W  ceases  to  expand.  Places  become 
blocked  in  increasing  sequence,  according  to  the  ordering  relationship  a  < 
/?,  i.e.  if  Q  <  ^3  then  a  must  already  have  become  blocked  when  (i  becomes 
blocked. 

(IV)  The  condition  that  pow*{{ai,. .  .,ai})  n  ^  /  0  only  when  /3  is  a 
target  of  {Qi,...,a^}  (cf.  Lemma  3.5)  is  maintained,  and  moreover 
the  Instantiated  Algorithm  operates  in  such  a  way  that  elements  t  G 
pow*{{ai,. . . ,  Q^})n^  are  only  introduced  by  caUs  Distribute{ai ,...,  at), 
with  ai,. .  .,at  as  cirgument  list. 
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The  Main  Inductive  Lemma  (Lemma  3.14)  to  be  proved  in  the  next  section 
will  show  that  the  Instantiated  Algorithm  maintains  these  invariants,  eind  also 
will  establish  various  other  properties  of  the  Instantiated  Algorithm  required  for 
the  necessary  inductive  proof.  In  Section  5  it  will  be  proved  that  the  I.V.A.A. 
terminates  and  a  bound  on  its  execution  lenght  wUl  be  established.  After  the 
rather  lengthy  detailed  proofs  of  the  Main  Inductive  Lemma  and  the  Termina- 
tion Lemma,  it  will  become  relatively  easy  to  show  that  the  sets  n  generated  by 
the  Insteintiated  Algorithm  define  a  model  for  4>  the  rank  of  each  of  whose  sets 
satisfies  &n  a  pnon  bound.  This  additional  conclusion,  which  clearly  establishes 
satisfiability  of  the  decision  problem  for  MLSSP  wUl  be  proved  at  the  end  of 
this  section. 

In  full  detail,  the  Instantiated  Variant  of  the  Association  Algorithm  is  as 
follows. 


[INITIALIZATION 
PHASE] 


Put 

7f  <-   0 

for  all  places  t  G  11  . 
Put 

/-0. 
Mark  ail  places  as  'unblocked'. 
Mark  all  P-nodes  as  'unblocked'. 
[END  INITIALIZATION  PHASE] 


[STABILIZATION 
LOOP] 


WHILE  there  exist  unblocked  places  DO 


[BLOCKING 

PHASE] 


try.block.nextMem: 


Let  i?o  be  the  minirmmi  unblocked  place  in  the 

ordering  <  of  places. 

[Comment:  t9o  is  the  next  candidate  to  be  blocked.] 

IF  (t?o  is  trapped  and  \^\  =  |(t''<'|) 

or  (i?o  is  nontrapped  and  |i?o|  >  P 
and    |:9o  n  pow*{{cr[, . .  .,ai})\ 


cr^°  n 


pou;*({a-'*',. .  .,<r°'})|     for     every     P-node 
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{ai,...,Q/}  whicli  is  such  that  |qj1  <  p, 
foraU  ;■  =  I,..., I)  THEN 

mark  i9o  as  'blocked'; 

FOR  ALL  P-nodes  {i?o,'?i,- •  •,!?*}  such  that 
allof  i?i,...,T?fc  are  fc/ocfceti  DO 
mark  t?o  as  'blocked'; 

Distribute  (t?o,  i?i,  •  •  • ,  i?*);  (Note:  The  code 
for  the  procedure  involved  here  is  shown  be- 
low.) 

END  FOR  ALL; 

GOTO  tryMock.neztMem; 

END  IF; 

[END  BLOCKING  PHASE] 

[Comment:  When  the  preceding  IF  test  fails,  we  enter 
the  Propagation  Phase.] 

[PROPAGATION  Pick   a  node   A    =    {ai,...,at}   marked   unblocked 

PHASE]  and  such  that  either  (0   <    [oTl, . . .,  |q71   <   p  and 

pow'{{au...,ai})\  \j0eT{A)P  7^  ^)  °r  (^  7^  0'  fo'" 
t  =  !,...,(,  and  \a]\  >  p  for  some  ;  £  {1,...,/}),  if 
any  such  unblocked  P-nodes  exist,  and  call 
Distribute(Qi, . .  .,a/); 
[END  PROPAGATION  PHASE] 
END  WHILE; 
[END  STABILIZATION  LOOP] 

[END  I.  V. A. A.] 

Next  we  show  the  details  of  the  'Distribute'  subprocedure  used  in  the  pre- 
ceding code. 
PROCEDURE  Distribute{ai, . . . ,  Q/); 

ASSERT  Assertion  A:  {Qi,...,a/}  is  a  P-node  which  is  either  marked 

unblocked  or  blocked,  but  not  visited. 
END  ASSERT  [Assertion  A]; 
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IF  |q7|  <  pforaUi  =  1,...,^  THEN 

GOTO  update. forsmalLalphas; 
ELSE        [Comment:  lojl  > />  for  some  j  6  {1, . .  .,^}] 

GOTO  update. for.oneJarge. alpha; 
END  IF; 

update. f or. smalLalphas: 

For  all  TT  e  n  let 

A,  =  f-'\pow*{{f[aT],...,f[ai]})ncT'']\     [j    0 

(where  we  recall  that  /  denotes  the  function  defined  on  the  parts  of  the 
domain  of  /  by  J{B)  =  /[5],  for  B  C  dom{f)). 

ASSERT         Assertion  B: 

(B.l)  A,  =  0,  for  all  TT  e  n  \  T{A). 

(B.2)  {A;f   :   T   e   n}  is  a  partition  of  fow*{{a^,. .  .a(})\ 

(B.3)  K  Afi  ^  0  then  the  place  y9  is  an  xnhlocked  target  of 
{ai,...,a/},  for  all /3  6  11. 

END  ASSERT  [Assertion  B]; 

Put 

/  ^   /  U  /|p<>u,-({ar a7})- 

Also  put 

TT  <—  ^U  At, 

for  each  place  x  G  11. 
GOTO  exit, 

update. for. one. large. alpha: 

Let  ^1,. .  .,/3g,Ti, . .  .,rfc,i/i,. . .,  i//i  be  all  the  targets  of  {ai,. .  .,a^},  where 
the  /?'s  £ire  the  6/ocA;e(f  targets,  the  r's  are  the  un6/ocfce<f  trapped  targets  and 
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the  i/'s  are  the  i;n6/ocA:ec/ nontrapped  targets  of  {Qi,...,a/},  respectively. 
Let 

A'  =  poti'({QT,...,Q7})\     y     ;9\{Qru...Ua7}, 

/3€r(>i) 


\    {a,U... 


if  A  is  not  blocked 
U  q7}     if  a  is  blocked 


Also  let 


A  =  A'  U  A". 

X       [  0  if  A  is  blocked 

*^     "  1    {ct°'  U  . . .  U  cr'*'}     if  A  is  not  6/ocJted    " 


In  addition,  for  all  unblocked  trapped  targets  Tj,  . . . ,  r^  of  A,  let 

n,  =  \a^'npou'{{c7"\...,a"'})\a^\-\T-npow'{{a:,...,al})\. 

ASSERT         Assertion  C: 

(C.l)  aTU...UQ7^U/36r{>i)i9- 

(C.2)  a°'U...Ua«'  G  tr'^'n  p£m;*({a°', . . .,  a'''})\ran3e(/), 
where  tt"*  is  the  principal  target  of  the  P-node  A. 

(C.3)  There  exists  a  partition  At,  ,..  .jAx^,  A„j,.  ..,Ai,^  of 
the  set  A  such  that 

(C.3. a)  |AtJ  =  Tij  for  each  ;  =  1, . . .,  t; 

(C.3.b)  if  A'  7^  0  then  |Ai,.|  >  /?,  for  each  z  =  1,. . ., /i;  and 

(C.3.C)  A"C  A,.,. 

(C.4)  For  each  j  =  1, ...,  jfc, 

"j  =  k"'npou;'({<T°',...,a°'})\<7^\ran(7e(/)| 

(so  that  the  sets  A^^  and  a""'  n  pow*{{(7°'^,. . .,  cr°''})\ 
a     \range{f)  can  be  put  in  1-1  correspondence). 

END  ASSERT  [Assertion  C]; 

Let  {A;r  :  TT  e  n}  be  a  partition  of  the  set  A  such  that 
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•  I  At  I  =    nj,  for  each  j  =  1, . . .,  fc; 

•  if  A'  /  0  then  |  A^,  |  >  p,  for  each  i  =  1, . . . ,  /i; 
.  A"  C  A,A] 

•  A,  =  0,  if7ren\  {Ti,...,Tk,vu-.--,Vh}- 

Also,  for  each  j  =  1, . . .,  fc,  let  fr^  denote  a  1-1  correspondence  between  Ar, 
and  the  set  a'^-'  fl  pow*{{cT°^, . .  .^a"'})  \  c'^  \  Tange{f),  such  that  if  >i  is 
blocked  and  the  principeil  target  tt"*  of  A  is  trapped,  then  f^A  {a\  U  . . .  U  aj) 
=  a°i  U  ...U  a°'. 

[Comment:  From  the  preceding  assertion,  it  follows  immediately  that  such 
partition  {A,,  :  t  £  11}  and  functions  frxi-'-ifr^  exist.] 

Put 

7f  <-  T  U  A, 

for  aU  TT  G  11. 

Also  put 

/^/U/.,  U...U^. 

IF  {qi  , . . . ,  Q  J  is  marked  unblocked  THEN 

mark  {qi,  . . . ,  a/}  as  'visited' 
END  IF; 

ASSERT         Assertion  Z):  If  tt  is  trapped,  then 

\a^^^pow\{a°\. .  .,(7"'})  \  a^\  =  \f  ^^pow'{{a{, . .  .,a7})|;      . 

END  ASSERT  [Assertion  D]] 
exit: 

ASSERT         Assertion  E: 

(E.l)  /  is  a  1-1  function. 
(E.2)  dom(/)CU,e^^• 
(E.3)  f\W]  C  a'^,  for  all  ir  e  H. 
(E.4)  If  |7f|  <  /?  then  t  C  dom{f). 
(E.5)  If  TT  is  trapped,  then  |7r|  <  \<7''\. 
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(E.6)  an^  =  0,  for  all  a,^  e  IT  with  Q  7^  /3. 
(E.7)  If  u  e  pou)*({7  :  7  e  r})  n(U,en^)>  with  r  any 
P-node  such  that  I7I   <   p  for  each  7   G   F,  then 
u  £  dom{f),  u  C  dom{f)  and  /(u)  =  f[u]. 
(E.8)  K  u  G  pou;*({7  :  7   G  T})  ndoTn(/),  with  T  any 

P-node,  then  /(u)  G  pcny*({(T^  :  7  G  F}). 
(E.9)  If  <  G  poii>*({7r, . .  .,7A})n  ?  7^  0,  for  some  places 
7i.---i7/.i  "^  e  n,  then 
(E.9.a)  {71, . . . ,  7^}  is  a  P-node; 
(E.9.b)  ^  is  a  target  of  {71,..., 7^}; 
(E.Q.c)  t  must  have  been  introduced  into  S  during  the 
execution  of  an  earlier  call  to  the  procedure  Dis- 
tribute, and  the  argimient  to  this  prior  call  must 
have  been  the  same  P-node  {71, . .  .,7/1}. 

END  ASSERT  [Assertion  EJ\; 

END  PROCEDURE  Distribute. 

Remark.  As  just  presented,  the  I.V.A.A.  is  still  nondeterminstic.  Indeed, 
our  Propagation  Phase  code  does  not  specify  how  the  unblocked  P-node  is  to 
be  chosen  among  all  nodes  which  satisfy  the  condition  appearing  in  the  code. 
Moreover,  the  body  of  the  procedure  Distribute  does  not  specify  what  partition 
{A,  :  X  G  n}  of  the  set  A  is  to  be  used  when  a  P-node  {ai,...,Q^},  with 
57  7^  0  for  all  I  =  1,...,/  cind  \aj\  >  p  for  some  j  G  {1,...,/},  is  processed. 
Nevertheless  it  is  uimecessary  to  specify  these  final  details  since  we  will  show 
that  every  possible  instantiation  of  the  I.V.A.A.  represents  an  acceptable  in- 
stance of  the  Association  Algorithm.  • 

The  following  lemma  lists  some  immediate  properties  of  the  I.V.A.A.  which 
can  be  proved  just  by  inspection  of  its  code. 

LEMMA  3.13  For  all  possible  computations  of  the  I.V.A.A.  we  have: 

(a)  After  the  Initialization  Phase  the  sets  W  are  modified  only  by  calls  to  the 
procedure  Distribute,  and  each  such  modification  of  a  set  W  enlarges  it. 

(b)  Once  \aj\  >  p  for  some  j  G  {1,...,^},  a  P-node  {qi,...,q^}  can  be 
processed  at  most  once  by  a  call  to  the  procedure  Distribute  made  from 
the  Propagation  Phase. 
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(c)  Every  P-node  can  be  processed  at  most  once  by  a  call  to  the  procedure 
Distribute  made  from  the  Blocking  Phase. 

(d)  When  a  P-node  {qi,  . .  .,at}  is  processed  by  the  procedure  Distribute,  all 
places  /3  such  that  (3  >  ai  for  all  i  =  \, . .  .,f  are  unblocked. 

(e)  Once  a  place  becomes  blocked  it  cannot  subsequently  become  unblocked. 

(f)  At  each  call  of  the  procedure  Distribute,  if  all  ASSERT-statements  are 
executed  successfully  then  Assertion  E  is  executed. 

Let  ii!"  be  an  execution  of  the  I.V.A.A.,  and  let  Ci,C2,C3,. . .  be  the  sequence 
of  calls  to  the  procedure  Distribute  cirranged  in  the  order  in  which  they  occxir 
during  the  computation  K. 

For  each  place  x  g  IT,  let  Ir-^'  (resp.  A»  ),  r  >  1,  designate  the  value  of  tF 
(resp.  the  value  of  A^)  just  cifter  (resp.  during)  the  execution  of  the  r-th  call 
Cr-  Analogously,  we  will  denote  by  /''')  the  value  of  /  after  completion  of  Cr- 
Moreover,  for  a  given  ASSERT-instruction  labelled  'Assertion  X'  and  executed 
during  the  processing  of  the  call  C,,  we  denote  by  'Assertion  X^'''  the  result  of 
substituting  in  it  each  program  variable  by  its  corresponding  value  at  the  time 
the  ASSERT  statement  is  executed.    Finally,  we  put  W<°^  =  /(°'  -  0,  for  all 

TT  6  n. 

The  following  baisic  lemmas,  which  will  be  proved  in  the  next  sections,  ex- 
press the  correctness  of  the  I.V.A.A. 

LEMMA  3.14  (Main  Liductive  Lemma:  Partial  correctness)  All  ASSERT- 
statements  encountered  during  the  computation  K  are  executed  successfully. 

LEMMA  3.15  (Termination)  The  number  of  calls  Ci,  C2,C3, . . .  in  the  com- 
putation K  is  bounded  by  [p  -  2)(n  -  1)2""^  +  3  •  2""^  -  2.  Moreover,  when 
the  last  call  to  the  procedure  Distribute  is  made,  all  places  x  G  H  are  already 
blocked. 

Having  assumed  the  validity  of  Lemma  3.14  and  Lemma  3.15,  we  will  prove 
below  that  the  sets  W  produced  by  the  computation  K  satisfy  both  conditions 
(C3)  and  (C4). 

Let  Q  be  the  last  call  to  Distribute  in  the  computation  K.  For  simplicity, 
we  will  often  write  x  in  place  of  Tf^^\  for  all  x  6  IT,  and  /  in  place  of  f^^'. 

In  order  to  prove  that  condition  (C3.a)  is  fulfilled,  it  is  enough  to  observe 
that  since  all  places  x  6  11  are  blocked  at  the  end  of  the  computation  K,  then 
either  |x|  =  |<7'|,  if  x  is  trapped,  or  |x|  >  />,  if  x  is  nontrapped,  and  in  any  case 
X7^0. 
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Condition  (C3.b)  follows  immediately  from  Assertion  (E.S)^^'. 

To  prove  that  condition  (C3.c)  is  satisfied,  we  will  need  the  lemma  below. 

LEMMA  3.16  (1)  Let  \ai^''-'^'>\  <  p,  for  i  ^  1,.  ..,i  and  1  <  r  <  C   Then 


/('-i)bo«;*({aT<'-^),...,a7<'-')})] 

(2)  Let  Cr  be  the  call  Distribut€{ai, . . . ,  at).  Then 

U(7r<')\^'-i))Cpou;-({ar<'-'),...,a7<'-^)}). 

(3)  pow'{{cr[,...,al})  C      (J     ^,  for  all  P-nodes  A  =  {ai,...,ai}. 

l3eT(A) 

Proof.  Concerning  (1),  if  loT^*""^^!  <  ^,  for  i  =  1,. . .,  ^,  then  from  Assertion 
£('-^),Q^'-i)  C  c/om(/("-^)),  t  =  l,...,^and/('-i)isl-l.  Therefore  Lemma 
2. 7(b. 2)  implies  (1). 

Assertions  (B.2)(')  and  (C.3)('')  imply  (2). 

Finally  to  prove  (3)  let  Cr^  be  the  last  call  to  Distribute  with  argument  the 
P-node  A  =  {ai,...,a/}.  Then  (3)  is  an  immediate  consequence  of  Assertion 
(B.2)('<')  and  (C.3)('°).  • 

We  are  now  ready  to  prove  (C3.c).  To  this  end,  let  z  be  a  variable  in  V\{p„}, 
and  let  {ai,...,Q/}  =  {t  £  U  :  7r(2;)  =  1}.  Notice  that  by  Lemma  3.2  the  set 
A  =  {ai,...,Q^}  is  a  P-node.  Therefore  clause  (3)  of  the  preceding  lemma 
implies  that  Uir(z)=i '■'  =  Ui=i"7  G  /3,  for  some  place  /3  G  ^(.4).  Let  Cm  be 
the  call  Distribute{ai, . . . ,  at)  during  whose  execution  the  element  Uir(x)=i '''  '^ 
introduced  into  /3.  If  |q71  <  ^  for  all  i  =  1, . . .,/,  then  all  places  a^  aire  trapped. 
Therefore  by  combining  Assertions  (E.4)(^\  (E.3)^^\  and  the  fact  that  cill  the 
Qi^'s  axe  blocked,  we  obtain 


/('o-i)(ar(">-i)u...UQ7<'°-^)) 

=  /[Qru...uQ7] 

=     /[or]  U  . . .  U /[a7] 
=      (7°>  U  . . .  U  CT°" 

epow*{{f[aT],...,f[a2]})na^' 

=  pou;*({/('<'-^)[ai<'''-i)],...,/(^°-i)[a7<^<'-^)]})nc7"', 
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which  shows  that  a^'"-'^^  U  . . .  U  a^''"-'^^  €  A^.?^  C  tt',  i.e.  0  =  -k'.  On  the 
other  hand,  if  |aj|  >  p  for  some  j  G  {1,...,^},  our  conclusion  follows  from 
Assertion  (C3.c)(''''\  thus  fully  establishing  condition  (C3.c). 

Next  we  prove  that  condition  (C3.d)  is  also  satisfied,  i.e.  that  if  p  =  pow{q) 
is  a  powerset  clause  in  4>,  then  Ua{p)=i  ^  -  P'^^(U/3(q)=i  Z^)-  Let  a  £  11  such 
that  (x{p)  =  1.  Lemma  3.13(a)  implies  that  for  each  <  E  a  there  exists  a  P-node 
Bt  such  that  q  G  T{Bt)  and  t  G  pow*{{^  :  fi  G  Bt}).  Notice  also  that  I3{q)  -  1 
for  each  /?  G  jB^,  so  that  Ua(p)=i  ^  ^  P''"^(U/3((})=i  ^)-  To  show  the  converse 
inclusion,  let  i  G  po^(U/3(g)=i  P)-  Then  t  G  pcnt;'({/3i, . .  .,/3fc})  for  some  places 
/3i, . .  .,/3jt,  with  lij{q)  =  1  for  cill  j  =  1, . . .,  A;.  In  view  of  Lemma  3.16(3)  we 
have  pou;*({/3i,...,;3fc})  C  Ue.6r(B)"  ^  Ua(p)=i  Q.  where  B  =  {/3i, . .  .,y9fc}. 
Therefore  pow(U;3(9)=i  /^)  ^  Ua(p)=i  ">  thus  proving  (C3.d). 

Finally,  to  complete  the  proof  of  condition  (C3)  we  only  need  to  verify 
(C3.e).  To  this  end,  let  x  =  {y}  be  a  singleton  clause  in  4>.  Prom  (C3.c)  and 
Lemma  3.3(5),  we  have  [jp^^y^^-^  P  ^  t^  =  Uq(x)=i  ^-  But  Icr'*!  =  1,  i.e.  tt^ 
is  trapped.  Therefore  Assertion  (E.5)^^^  implies  Itt"!  =  1,  which  in  turn  yields 
Ua(x)=:i^  =  {U/3(y)=i /^}'  This  completes  the  proof  of  the  necessity  of  condition 
(C3)." 

In  view  of  Lemma  3.15,  to  prove  (C4)  it  is  enough  to  show  that  each  call  to 
the  procedure  Distribute  is  an  instantiation  of  Step  2  of  the  Association  Algo- 
rithm. But  this  follows  plainly  from  Lemma  3.16(2).  Hence,  up  to  the  proofs 
of  Lemmas  3.14  and  3.15  (which  will  be  provided  in  the  following  sections),  the 
proof  of  the  necessity  of  conditions  (Cl)-(C4)  of  Theorem  3.1  is  completed.  • 

Notice  that  for  each  conjunction  (p  in  the  class  MLSSP"  there  are  only 
finitely  many  and  a  priori  determinable  sets  of  places  of  <^  and  mappings  x  *-*  ir' 
and  TT  »-»  TT  as  in  (i)-(iii)  of  Theorem  3.1  and  satisfying  conditions  (C1)-(C4).  In 
other  words.  Theorem  3.1  contains  a  decidability  test  for  the  MLSSP"  injective 
satisfiability  problem.  Therefore,  Lemmas  2.2,  2.3  amd  the  discussion  at  the 
beginning  of  the  preceding  section  yield  the  following  corollary. 

COROLLARY  3.17  The  class  of  formulae  MLSSP  has  a  solvable  satisfiabil- 
ity problem. 

Actually,  Theorem  3.1  implies  a  slightly  stronger  result. 

COROLLARY  3.18  Let  4>  be  a  conjunction  in  MLSSP"  in  which  only  m 
distinct  variables  occur.  Then  (p  is  satisfiable  if  and  only  if  it  has  a  model  of 
rank  at  most 

(m  +  iltg^m]  -  2)2^""'+"'-''  +  3  •  2^""'  -  2. 
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Proof.  The  above  condition  for  the  satisfiability  of  4>  is  trivially  sufficient. 

Conversely,  if  </>  is  satisfiable,  by  Theorem  3.1  there  exist  n,z  »-»  tt'  and 
x  !-►  TT  as  from  (i)-(iii)  and  satisfying  (Cl)-(C4).  As  shown  in  the  sufficiency 
proof  of  Theorem  3.1,  the  assignment  M'x  =  Ut(i)=i  't,  for  all  x  occurring  in 
<f>,  is  a  model  of  4>. 

We  will  prove  the  corollary  by  showing  that  for  every  x  m  <f>, 

rank{M*x)  <  (m  +  2\lg2Tn]  -  2)2^""'+'"-'  +  3  •  2'""'  -  2. 

For  this,  observe  that  by  Lemma  3.3(4),  n  =  |n|  <  2"'-i  +  1.  Moreover, 
if  we  put  p  =  m  +  2\fg2m],  since  m  >  4  then  p  >  2,  so  that  p  >  2  and 
2^-1  >  p[n  -  1)  +  1  are  both  satisfied.  Therefore  we  may  assume  that  the  p 
appearing  in  (C4)  has  been  chosen  in  this  way. 

During  each  execution  of  Step  2  of  the  Association  Algorithm,  the  rank  of 
any  set  W  of  maximal  rank  is  augmented  by  at  most  1.  Since  by  (C4)  tt  i-»  tF 
is  produced  by  a  computation  of  the  Association  Algorithm  in  which  Step  2  is 
executed  at  most  {p  -  2)(n  -  1)2"-^  +  3  •  2""^  -  2  times,  the  coroUary  follows. 
• 

An  immediate  consequence  is  the  following. 

COROLLARY  3.19  Given  a  conjunctton  4>  m  MLSSP",  <t>  is  satisfiable  if 
and  only  if  it  is  hereditarily  finitely  satisfiable. 

In  the  next  section  we  will  prove  the  Main  Inductive  Lemma. 

4     Proof  of  the  Main  Inductive  Lemma 

In  this  section  we  will  prove  the  partial  correctness  of  the  I.V.A.A.  . 

As  in  the  previous  section,  let  AT  be  an  execution  of  the  I.V.A.A.,  and  let 
Ci,  C2,  C3, . . .  be  the  sequence  of  caUs  to  the  procedure  Distribute,  arranged  in 
the  order  in  which  they  occur  during  the  computation  K.  We  will  also  make 
use  of  the  notation  ^'■),  aI'^  /(•■),  Assertion  X^')  as  explained  in  the  previous 
section.  For  the  sake  of  completeness  we  restate  the  Main  Inductive  Lemma. 

LEMMA  3.14  (Main  Inductive  Lemma:  Partial  Correctness)  All  ASSERT- 
statements  encountered  during  the  computation  K  are  executed  successfully. 

Proof.  We  will  proceed  by  induction  on  r  >  1,  by  proving  that  all  ASSERT- 
statements  executed  during  the  processing  of  the  call  Cr  are  completed  success- 
fully, i.e.  they  hold  at  the  time  they  are  encountered. 
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Base  case  r  =  1.  Notice  that  /(°)  =  0  and  7f<°)  =  0  for  all  places  w  6 
n.  Moreover,  when  the  Ccill  Ci  is  made,  cJl  places  and  P-nodes  are  marked 
unblocked.  Indeed  all  places  £ind  P-nodes  are  marked  unblocked  during  the 
Initialization  Phase,  so  that  it  is  enough  to  show  that  no  place  £ind  no  P-node 
Ccin  become  blocked  during  the  subsequent  Blocking  Phase.  Observe  that  by 
Lemma  3.9(a)  :r'°  is  the  minimum  unblocked  place  aStei  the  execution  of  the 
Initiahzation  Phase.  But  ¥^°^  =  0,  so  that  the  EF-test  of  the  Blocking  Phase 
fails.  As  7i^°)  =  0,  for  all  t  6  11,  the  only  P-node  satisfying  the  conditions  in 
the  Propagation  Phase  is  the  empty  P-node.  Indeed,  it  is  immediate  to  see 
(cf.  Lemma  2.6(a))  that  pow'{ili)  \  U/36r(e)^°^  =  {0}-  Therefore  Ci  is  the 
call  Distribute{^).  Assertion  j4(°)  is  plain.  Notice  that  |a^°^|  <  p,  for  all  a  in 
the  empty  P-node,  is  vacuously  true,  so  that  the  empty  P-node  is  processed  at 
updateJTor jmall^phas.  It  is  immediate  to  see  that 

(1)^/0  ifx^TT'O 

I  {0}     if  TT  =  Tr-J" 

and  obviously  Assertion  B^^^  is  true  (cf.  Lemma  3.6(a)).  After  the  execution  of 
the  assignment  statements,  we  have 

To  complete  the  proof  in  the  base  case,  we  only  have  to  prove  that  Asser- 
tion E(^)  holds.  Assertions  (E.l)(i),  (E.2)(^),  (E.4)(i)-(E.9)(^)  are  immediate. 
Concerning  Assertion  (E.3)(^)  it  is  enough  to  observe  that  by  Lemma  3.3(1), 
(t'^'°  =  {0}  =  range(f^^^).  This  completes  our  first  induction  step. 

Inductive  step.  Next  we  assimae  that  all  ASSERT-statements  encoimtered 
before  the  execution  of  the  call  (7^,  with  tq  >  1,  are  completed  successfully, 
and  we  prove  that  aU  ASSERT-statements  met  during  the  processing  of  the  call 
Cd  are  valid  as  well. 

Let  Cr„  be  the  call  £)i5<ri6ufe(Qi, . .  .,q/).  Clearly  the  P-node 
■A  =  {«!»••  •«/}  cannot  be  the  empty  P-node.  Notice  also  that  according  to 
whether  the  call  Crg  is  made  from  the  Blocking  Phase  or  from  the  Propagation 
Phase,  we  have  respectively  that  either  A  is  blocked  or  A  is  unblocked.  In  any 
case  A  cannot  be  marked  visited,  showing  that  Assertion  A^''"'  holds. 

To  prove  the  vahdity  of  the  remaining  assertions,  we  will  distinguish  two 
cases  according  to  whether  loT^'o"^)!  <  /)  for  all  t  =  1,. ..,/,  or  loi^'""^)!  >  p 
for  some  jo  G  {1, . . .,  ^}. 
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Case:  |Qi^''°   ^^|  <  p  for  alli  =  1,. .  .,f.     In  this  case  we  h 


ave 


^N)      ^      (/('o-l))-l[pou;'({/(^''-l)[Q^'°-l)],... 

for  all  TT  e  n. 

The  following  lemma  states  some  useful  properties. 

LEMMA  4.1   Let  7i,...,7fc  be  places  of  (p  such  that  Itj^'^"^']  <  p  for  j  = 
l,...,Jt.   Then 

(i)  77^'°-^'  C  dom(/('o-i)),  for  each  j  =  l,...,k; 

(ll)    /('o-l)[=^ro-l)j  g  ^7;^  f^^  ^^^f^j  =  l,...^jfc; 

Proof.  By  inductive  hypothesis  Assertion  e(''°~^^  we  have  plainly  (i)  and  (ii). 
By  Lemma  2.6(c)  and  (ii)  we  have  also  (iii).  • 

Let  TT  €  n  \  T{A).  Then,  by  Lemma  3.6(d),  pow'({a°  :  a  e  A})  D  a"  =  H), 
which  by  (iii)  of  the  preceding  lemma  yields  A»  °  =  0,  thus  proving  Asser- 
tion (B.l)('"°). 

Next  we  prove  that  (B.2)('''')  is  also  satisfied.  First  of  all  we  notice  that 
as  /(""o"^)  is  1-1,  the  sets  A,  are  pairwise  disjoint,  since  so  are  the  sets  a''. 
Moreover  from  Lemma  2.7,  Lenmaa  4.1,  and  the  injectivity  of  /('o"^),  we  have 


UAi'»)     =     [j{f(^o-i))-^lpow'{{f^^o-'^[a^^o-%... 
wen  iren 

...,/(^o-i)j^.o-i)|})ncr']\    U    t'-'^ 

0€T{A) 


«en         /3er(A) 


=    {f^^o-''>r'\pow'{{f^^o-'W<'-% .  ..,f^">-'W~'^]}) 

\  U  ^""'^ 

fieT{A) 
=    po^-({aT<'o-i),...,a7<'°-^)})\     U     ^""'^• 

0€T(A} 
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This  completes  the  proof  of  Assertion  (B.2)^'"''). 

Finally,  to  prove  (B.3)('"''),  let  /3o  be  a  place  of  <p  such  that  A^^^  jL  0.  Prom 
(B.!)^*""'  we  have  /3o  £  ^(^)>  so  that  we  only  need  to  show  that  the  place  f3o  is 
unblocked  at  the  time  the  call  Cr^  has  been  made.  We  distinguish  two  subcases 
according  to  whether  /?o  is  trapped  or  not. 

Subcase:   f3o  is  trapped.     K  /3o  were  blocked  when  the  call  C^  is  made, 

then  |^'°~^^|  =  \a^°\  <  p,  which  by  Lemma  4.1  gives  /('"-'^i^'""^^]  =  a^. 
Therefore,  again  from  Lemma  4.1  amd  the  inductive  hypothesis  (£.8)'*"°""^^  we 
wovild  have 


aJ-;'     C     {fi^o-i))-^[JF^)lpow*i{a^(^o-'\...,ai^^°-'^})] 


C      (/(^o-l))-l_^N-l)[^^o-l)j 


-    Po 

0eT(A) 

The  above  inclusion  chain  implies  that  AL'°  —  0,  contradicting  our  assump- 
tion AI'°  7^  0,  and  consequently  showing  that  the  place  /Sq  must  be  imblocked, 
at  least  in  the  case  in  which  /3o  is  trapped. 

Subcase:  /So  is  nontrapped.  Suppose  that  /3o  has  become  blocked  just  before 
the  call  Cr-,  with  1  <  r'  <  tq.  Therefore 

\pow*{{o:^^'-^\...,a]^''-'^})r}J^''-'\  =  \pow'{{a'^\...,a^^})r^a<^l 

since  a7<''-^)  C  o^'o-^)  for  all  i  =  1, . . .,/. 
Notice  also  that 

pou;-({aT<''-^),...,a^''-^)})n^''-^^ 

c   pow*[{a^'<'-^\ . . . ,  a7<'''-^)})  n  ie^"'"'^ 

Moreover,  let  u  G  pouj*({cn<'"»-^), . . .,  a7<'"°-^)})  n  ^'""^^  and  let  C,-  with 
1  <  r"  <  To,  be  the  call  Distribute[ai^. .  ..,ai)  during  whose  execution  the 
element  u  is  introduced  into  /3o  (cf.  inductive  hypothesis  (£.9)''"''"^)).  Since 


/K).;K-i)u/(^"-i)t_.^^^,„_, _,,,_,^^     , 
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we  have 


Therefore  7(^^^(u)  =  /(^o-i)(u)  £  /(^°-i)[^'°"'^]  C  a^,  so  that 

/(^^^(u)  6  7(^^^[pou;'({Q^'''-') a2<'»-''})]na^, 

thus  proving 

Prom  Lemmas  2.7  eind  5.1  we  have 

C     pou-*({a'",...,<T°'}). 
Hence 

As  /('o-i)  is  injective  and  pcm;*({QT<''-i\ . . .,  a7<'''^'})  has  finite  cardi- 
nality, the  latter  chain  of  inclusions  combined  with  above  cardinality  equality 
yields 

and  therefore 

^0^0)     c     (7(^^^)-^[pau;'({/('°-^)[aT<'-^)],...,/(">-^)[a7<'°-^^]})na^] 
C    pou,-({aT<'°-^),...,a^'''-^)})n^'»-'^ 


c    ^'"-^^ 


Q      U    ^ 

/3€T(A) 


^'0-1) 
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The  latter  inclusion  contradicts  oui  earlier  assumption  AJT"  ^  0,  thereby 
showing  that  the  place  j3o  must  be  unblocked  even  in  the  present  case.  Thus 
Assertion  (B.S)''"^  is  fully  proved. 

After  the  assignment  statements  have  been  executed,  we  have 

and  

To  complete  our  analysis  of  the  inductive  step  in  the  case  in  which  |ai^''<''"^)| 
<  p  for  aU  t  =  1, . . ./,  we  only  need  to  verify  Assertion  E^''°K  This  is  done  as 
follows. 

Concerning  (E.l)''''^\  we  begin  by  showing  that  p^"'  is  indeed  a  function, 
i.e.  that  for  each  u  in  doTn{f^''°')  there  is  exactly  one  pair  {u,t)  G  /('"'')  having 
u  as  first  element.  As  by  induction  /('o"^)  and  /('"o-^)  cire  functions,  it  is 
enough  to  prove  that  for  each  u  G  dom{f^''''~^^)r\pow*{{a^''''~^\  . .  .,07^'"""^)}), 
/('•o-i)(u)  =  /('■<'-i)[ti].  But  this  foDows  plainly  from  Assertion  (E.5)('"''-^). 
Next  we  prove  that  /('■°'  is  injective.  As  by  induction  and  by  Lemma  2.7  both 
^("■0-1)  and  /('■o'l)  are  injective,  it  is  enough  to  prove  the  following  lemma. 

LEMMA  4.2  Letu  +  1  e  <foTn(/(''°-^))  and  U2  £  pow*{{T<^<'-'^^  =  7  e  T})  such 
that  /('■"-^H^^i)  =  /''■''~^M"2),  where  T  is  a  P-node  with  |7<''<!-i)|  <  p  for  all 
7  G  r.   Then  Uj  =  U2. 

Proof.  Let  Ui,U2  and  F  be  as  in  the  above  hypotheses.  Then  from  Lemma 
2.7  and  Lemma  5.1(iii)  it  follows  that  /('"""^H"!)  G  pow'{{a''  :  7  G  F}),  which 
by  (E.8)^''°~^\  by  the  disjointness  of  the  sets  cr's  and  Lemma  2.6(c)  implies 
ui  G  pQW*({7<'"°-^)  :  7  G  F}).  Therefore  (E.2)('-<'-i)  and  (E.7)<''°-^)  yield 
/('■o-i)(uj)  =  /('■''-^)("i)  =  /^""""^H^a),  which  by  the  injectivity  of  /(''o-i) 
implies  ui  =  U2,  thus  proving  the  lemma.  .  • 

Having  proved  the  preceding  lemma,  and  thus  established  (E.l)(''°\  we  turn 
to  {E.2)^''°\  To  prove  that  (E.2)('"»)  is  satisfied  it  is  enough  to  observe  that,  by 
(B.2)("'-^), 

pat.-({aT<--^),...,a^--^)})C      (J     ^-"^^  U     [j     A^^U      [j     /''\ 

0enA)  0eT(A)  fieT(,A) 

Next  we  prove  that  (E.S)^'"'')  holds.  Let  tt  G  11.  Since  /('o)[^'"'')]  = 
y(''o-i)j^'-o-i)]  u  /('■o-i)[Ay"°'],  by  inductive  hypothesis  we  cein  limit  ourselves 
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to  proving  fi^o-i)[A^^°^]  C  a".  But  this  follows  immediately  from  the  very 
definition  of  a'^^^I  Since  aI'"^  C  dom(/('°'),  for  all  tt  G  H,  by  induction  we 
obtain  (E.4)('°'. 

Next  we  verify  Assertion  (E-S)'*""'.  Let  x  be  a  trapped  place.  From  (B.2)v''o) 
and  the  inductive  hypothesis  (E.5)("'-i),  we  have  7f<'»)  C  domC/^'")).  More- 
over (E.3)('"°)  implies  /(•■<>) [x<'"'')]  C  a".  Therefore,  as  /(''«)  is  injective  we  have 
Itj^'o)!  <  \a^\^  which  proves  (E.S)^''''). 

Concerning  (E.6)('"''\  we  need  to  prove  that  if  a  and  /3  are  two  distinct 
places  of  4>,  then  a<'°)  n  ^'"^  =  0.  But  a'-^o)  n  ^'^  =  (a<'o-i)  n  A^^^^)  U 
(^'""^^  n  aL'"^)  therefore  it  is  enough  to  show  that  7<">-^)  n  aJ'"^  =  0,  for 
any  two  distinct  places  7  and  6.  Suppose  by  contradiction  that  there  exists 
u  e  7<"'-i)  n  A^p\  Then,  by  (B.2)('°),  u  €  pau;*({QT<'°-^\  . .  • ,  a^^^'-'^})-  In 
view  of  (E.9.b)(^°-'\  this  implies  that  aJ'°^  P  7^'°-^)  =  0,  thus  completing  the 
proof  that  Assertion  (E.6)(''<')  is  valid. 

Concerning  (E.7)('°),  let  u  G  pow'{{f'^^  :  7  £  ^})nU,e^^'°^  ^^th 
r  a  P-node  such  that  It^'")!  <  p  for  each  i  £  T.  Let  C,..,  with  t'  <  tq, 
be  the  call  to  Distribute  during  whose  execution  the  element  u  is  introduced 
into  UTsn'^-  Notice  that  by  the  disjointness  of  the  sets  t^''-^),  C,-  must  be 
the  call  Dtstnbute{T).  As  |f-''-^)|  <  p  for  each  7  e  T,  it  foUows  that  u  e 
poiz;'({7<''-^)  :  7  G  T})  C  dom{f(^)ndom{f^''))  C  dom{f(^^))f\dom{f (''>)), 

and  also  /('•°)(u)  =  /(''H")  =  f^'-^M  =  /^'''"'H"]  =  /''°^["]'  ^^^^  P^^^^^ 
Assertion  (E.T)^'"''). 

Concerning  (E.8)(^°\  let  u  G  pou'*({7<"')  :  7  €  T})  n  (iom(/('°)),  where  T  is 
any  P-node.  Prom  (E.2)(''°),  we  have  u  G  ^'■°',  for  some  t  G  11.  Let  C,.,  with 
r'  <  ro,  be  the  call  Distrihute{T)  during  whose  execution  the  element  u  is  put 
into  U^en^-  If  l7^''"'^l  >  P  fo^  ^om^  ^  ^  T,  then  /('')(«)  G  a'°  fl  pcn/;'({«T^  : 
7  e  F})  \  {<T^i^'^  \  range(/(''-^)).  On  the  other  hand,  if  |7^''-^)|  <  p  for  all 
7  G  r,  then  by  Lemma  4.1(iii)  f^''\u)  =  f^^'-^K^)  ^  pow*i{cr'<  :  7  €  F}). 
In  any  case  we  have  /('»)(u)  =  f^''\u)  G  p(?u;*({<r^  :  7  6  T}).  which  proves 

(E.S)*'"'. 

Finally,  in  order  to  complete  otir  analysis  of  the  inductive  step,  at  least  in 
the  case  in  which  lo^'o-^^l  <  p  for  aU  i  =  1,. .  .,^,  we  only  need  to  prove  that 
Assertion  (E.Q)^'")  is  satisfied  too.  Let  t  G  potx;*({7T<'<'),. .  .,7^"°)})  n  ^"'  , 
for  some  places  71,..., 7h,*.  Let  C,-  be  the  call  to  the  procedure  Distribute 
during  whose  execution  the  element  t  is  introduced  into  the  set  8.  Suppose  that 
Cr'  is  the  caU  Distribute(^i, . . . ,  /?*),  with  {/3i, . . . ,  /3fc}  a  P-node.  Therefore  by 
inductive  hypothesis  (B.2)('')  and  (C.3)('')  t  G  pow*{{0^^  ~^\  . . . ,  ^'    ^^})  C 
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pow'({^'°\...,At^'"^}).    The  latter  relationships  imply  {^i,...,/?^}  =  {71, 

. . .,  7;,},  since  the  sets  /9i  '"''  , . . . ,  /3fc  '""  ,  tT^'""^  . . . ,  Th^"""^  are  pciirwise  disjoint, 
if  not  identical  (cf.  Lemma  2.6(b)).  Therefore  by  (B.S)*'"'^  and  (C.3)('"')  we 
have  that  {71,..., 7/1}  is  a  P-node  having  6  among  its  targets,  thus  proving 
(E.9.a)('"'')  and  (E.9.b)('''').  Furthermore  (E.g.c)''")  follows  immediately  from 
the  above  discussion,  so  that  Assertion  (E.Q)^'"'  holds.  This  completes  the 
analysis  of  our  first  case.  The  second,  and  last,  case  to  be  considered  is  the 
following. 

Case:  \a~^''°~'^^  >  p  for  some  jo  6  {1,...,^}.  Let  ^1, . .  .,/3g,  n, . . .,  77,, 
ui,. .  .,Uh.  be  ciU  the  targets  of  the  P-node  A,  where  at  the  time  the  call  C^  is 
made  the  /3's  are  the  blocked  targets,  the  r's  are  the  unblocked  trapped  targets, 
and  the  i/'s  are  the  unblocked  untrapped  targets  of  {ai, . . . ,  a/},  respectively. 

We  have 


pot.*({aT<'-^),...,a^^»-^)})\     U     ^'""'^ 

\{ar<'<'-^)u...UQ7<'<'-^)}, 

0  if  >1  is  not  blocked  just  before 

<  the  call  Cro  is  made 

{oi^'-o-i)  u  ...UoT^'"""'')}     otherwise. 

0  if  j4  is  blocked  just  before  the  call 

=     <  Cto  is  made 

{cr°>  U  ...U<T°'}     otherwise. 


In  addition,  for  all  imblocked  targets  Ti,  . . . ,  Tfc  of  >1,  we  have 


n 


('o) 


-|t7<'»-^)  n  pow*{{a^''>-'^\  . . .  ,a7<"'-^)})|. 


We  begin  by  proving  that  Assertion  C^'")  is  satisfied. 

Concerning  (C. !)('"''),  assume  that  qY<'"o-^)u.  .  .Uol^'o"^)  6  '^''''~^\  for  some 
place  Po  G  T{A).  Then  the  element  oT^'"'')  U. .  .UqT^'''')  has  been  introduced  into 
the  set  Pq  during  the  execution  of  a  prior  caU  C,',  Distribute{ai,. .  .at),  and 
furthermore  oT^''-^)  U  . . .  U  q7<'"'-^)  =  oT^'o-^)  U  . . .  U  oT^'"-^).  As  a^'''-'^^  U 
. . .  U  ot^''  ~^^  G  A^*"  ),  the  P-node  A  must  have  been  blocked  when  the  call  C,/ 
was  made,  preventing  it  from  being  processed  again  by  procedure  Distribute. 
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But  this  is  a  contradiction,  since  the  call  Cr^  has  as  argument  the  P-node  A. 
Therefore  ,      ,  ^ 

proving  (C.l)('°). 

Concerning  (C.2)('"°\  suppose  by  contradiction  that  a"'  U  ...  U  cr"'  G 
rangeif^'"-'^),  and  let  u  €  (fom(/('o-i))  3^^^^  that  /('°-i)(u)  -  ^-=  J...Ua°'. 
Notice  that  the  inductive  hypothesis  (E.S)^'"''-^)  implies  u  £  pow^do^^"  ^\  . . ., 
Q^ro-i)})^  so  that  the  element  u  must  have  been  introduced  dioring  a  prior  call 
C,.,  Distribute{au.--,at)-  H  la^^''''^^  <  p  for  all  i  =  1, . . ./,  then  a°"  U  . . .  U 
(r°i  =  /(^')(u)  =  /(''-'^M  Q  /(''-'n«T^''"'^]  U  .  •  •  U  /('•'-^H^'  ~^^:-  and  since 
by  Lemma  4.1(ii)  f^^'-'W'~'^]  ^  <^"N  for  i  =  1, .  •  • ,  i,  then  /(^'"^  ^a^''"')]  = 
cr"',i  =  l,..-,f-  In  view  of  the  injectivity  of  f^'''~'^\  the  latter  equalities  imply 
l^"'!  =  lo^""'"^^!,  i.e.  the  places  a,  are  trapped,  for  i  =  1,...,/.  But  then 
by  inductive  hypothesis  (E.5)(''°-^\  we  should  have  |q;<'''"^'|  <  p.  for  aili  = 
!,...,(,  contradicting  our  assumption  ioj^^'"''"^^!  >  p  for  some  jo  €  {1,...,/}. 
This  contradition  shows  that  \q^^'-'^^  >  p  for  some  ;  6  {1,...,^}.  But  then, 
an  argument  similar  to  the  one  given  for  the  proof  of  Assertion  (C.ll^'")  allows 
us  to  conclude  that  (C.2)('"'')  is  also  satisfied. 

Next  we  show  that  Assertions  (C.3)('"<')  and  (C.4)('"<''  hold  too.  If  the  P-node 
{Qi,...,a/}  has  never  been  processed  by  Distribute  prior  to  the  call  C^^,  we 
put  r'  -  1,  otherwise  we  let  C,-  denote  the  latest  call  Disivihui^a^, . . .  ,0.1), 
with  r'  <  tq.  We  will  distinguish  two  subcases,  according  to  whether  the  set 
U^g^(Q<'"<'-^)  \  Q^''-^')  is  empty  or  not. 

Subcase:  Uae.4(^''°~^'  \a^'"''"^))  =  0.  Notice  that  in  this  case  r'  >  1,  and 
^ro-i)  _  o^'-'-i),  for  all  Q  e  A.  Therefore  after  the  execution  of  C,-,  the 
P-node  A  is  marked  as  'visited',  preventing  it  from  being  further  processed 
from  the  Propagation  Phase.  Thus  the  call  Cro  must  have  been  made  from 
the  Blocking  Phase,  and  in  particular  the  P-node  A  must  be  marked  'blocked' 
when  the  call  Cr,  is  made.  Therefore,  A"(''>)  =  {a^">-'^  U  ...  U  aT^'"-^)}, 
(ct'4)('-o)  =  0,  and,  by  the  inductive  hypothesis  C'^^'\  A'^'"'  =  0  and  A^*"")  = 
A"''"'').  Assertion  {C.S.b)^'"'')  is  vacuously  true.  As  regards  (C.S.c)''"''),  it  is 
sufficient  to  notice  that  as  tt^  >  a,  for  all  a  G  A  (cf.  Lemma  3.12),  then 
Lemma  3.13(d)  assures  us  that  the  place  tt^  is  unblocked  during  the  execution 
fo  the  call  C,„  (we  recall  that  tt^  denotes  the  principal  target  of  the  P-node  A). 
In  order  to  prove  (C.3.a)(''''^  aU  we  have  to  show  is  that  nj'''  <  1,  ;  =  1, . . .,  fc, 
where  the  equality  holds  if  and  only  if  tj  coincides  with  the  place  x'*.  We  have 

„(.'')     =     |(7^^npou;'({a'",...,a<^'})\{a°'U...U(r"'} 
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-|T7<''-^)npou;*({aT<''-i),...,a7<''-^)})| 

and  ry^*"')  =  t^'''~^)u  At,    ■  Therefore,  by  inductive  hypothesis, 

|cT-^npou;-({a°S...,<7°'})|-n5''') 
=     \T<^^-'^npow'{{a^^'>-'\...,c^^'>-'^})\ 
=     |T7<'')npot.-({aT<''-^),...,a7<''-^)})| 
=     |(T-<''-^)uAi;'))npou;*({aI<''-i),...,a^''-^)})| 

so  that 

„(-o)     ^     I  1      ifTj  =  7r^ 
■J  I   0     otherwise. 

concluding  the  proof  of  (C.S.a)^'"'')  cind  in  turn  of  Assertion  (CS)'*""',  at  least 
in  the  present  case  in  which  Uae^C^*^""^^  \  "^"^  ~^^)  ~  ^• 

Subcase:  Ua6x(a^"'"^U^'''~^^)  =  ^-  Notice  that  nj'"''^  <  |(T^'|  <  p,  for  each 
trapped  target  Tj  of  j4.  Hence,  by  Lemma  3.9(b)  and  since  by  Lemma  3.6(e) 
each  P-node  can  have  at  most  n  -  1  targets,  to  prove  (C.3)('"°)  it  is  enough  to 
show  that  lA^*"")]  >  p{n  -  1). 

CLAIM.  For  each  to  6  \JceA{^'°~^^  \  S<'''~^^)  v)e  have: 

(I)  pow*  ({{to},aT<"'-^),...,a7<"'"^)})  Q  A('<')  U  {qI<'°"^)  U  . . .  U  q7<"'-^)} 
(H)   \pow'  ({{to},aT<'o-i), . .  .,q7<"'-i)})|  >  p{n  -  1). 

Proof.  As  {to}  Q  Uaei*^*^""^^'  ^^  ^^^®  clearly 

patz;-({Oo},aT<'°-'\---,a7<'»-^)})Cpoti;-({aT<"'-^),...,a^'»-i)}). 
Therefore,  to  prove  (I)  it  suffices  to  show  that 

pow'{{{toha^''-'\...,c^">-'^)n     U     ^'»-')  =  0. 

PeT(A) 
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We  do  this  as  foUows.  Let  uq  G  pou^*{{{to},a^"°~'^\  . .  .,a^">-'^^})n  fi  "  , 
for  some  f3o  £  T{A).  By  inductive  hypothesis  (E.9)(''°-^',  the  dement  uq  has 
been  introduced  ^  during  the  execution  of  a  call  C,...,  Dtstribute{ai,. .  .,at), 
with  r"  <  r'.  In  particular,  to  G  [j^eA^"''^^  ^  Uae>4^''"^''  contradicting  the 
fact  that  to  i  UaeA"^'''"^^  ^^  thereby  completing  the  proof  of  (I). 

To  prove  (II)  we  just  observe  that  as  |a^''''"^^|  >  P  for  some  jo  £  {1,  • .  .^}, 
then  obviously 

pou;-  ({{fo},aI<--^\  . .  .,a2<-i)})  |  >  min(2''  -  1,2"-^  -  1)  =  2-^  -  1. 

Then  (11)  follows  plainly  from  the  assumption  2"'^  -  1  >  ^(n  -  1). 

Thus  the  Claim  is  fully  established.  • 

The  above  Claim  obviously  impHes  that  lA^"""^!   >   p{n  -  1),  which  con- 
cludes the  proof  of  Assertion  (C.3)(''o)  even  in  the  case  in  which  Uae-il^'""     \ 

a<''-^))  ^  0. 

Finally  we  show  that  Assertion  (C.4)(''°)  is  satisfied  too.    It  is  enough  to 

prove 

\a-^  npou;*({<T''', . . .,  a°'})  n  ranffe(/(^°-^))  \  (a^)^"'! 
=     |f-<"'-^)npcni;*({aT<"'-^),...,a7<'»-')})|, 

for  each  j  =  l,...,Jfc.  As  r^  is  trapped,  by  inductive  hypothesis  (E.4)('°-i) 
and  (E.5)('''-^\  rf'"-^^  Q  domif^'"-'^).  Also  from  (C.2)('"),  ((r^)^'")  n 
ran^e(/('"'''"^')  =  0.  Therefore  we  can  limit  ourselves  to  proving  that 

n pou;*({c7°' , . . . ,  a°'})  n  rangeif^'"-'^). 

Let  u  e  Tj<^°-''>npow'{{a^"^-^K  ■  • .,  o/'"-^)}).  Then  by 
inductive  hypotheses  (E.3)('''-^)-(E.5)('«-^)  and  (E.S)^'"-^),  we  have /('»-^)(u)  e 
a-"}  npou;*({o-°S...,  a°'})nrange{f^^o-'^^).   To  prove  the  converse  inclusion, 

let 

tGa"^npou;*({a°',...,a°'})nranffe(f'°   '^). 

Let  u  e  dom{f^^-'))  such  that  /('o-i)(u)  =  f.  From  (E.S)^'"-^),  (E.8)('»-^), 
it  foUows  u  e  T^'o'^^  n  pou;'({aT<^»-^^  •  • .,  07^'°"^^),  thus  proving  also 

a^'  n  poti;*({a°', . . .,  a'"'})  n  rangeif^^'-'^) 
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=     a'' 
We  do  this  as  foUows. 


This  proves  the  validity  of  Assertion  {CA)^^°\  and  in  turn  completes  the  demon- 
stration that  Assertion  C^'""')  is  satisfied. 

After  the  execution  of  the  assignment  statements  in  Cr^,  we  have 

7f<'»)  ^  7f<'°-^)  U  A^'o^  for  each  x  G  n, 
and 

f{ro)  ^  y(ro-l)  u  firo)  y  .  .  .  U  fil'\ 

where  fr,  is  a  one-one  correspondence  between  At'"  and  the  set  a'^i  fl 
pow'i{a°^,. . .,  a-'})  \  ((7^)(^'>)\  range(/('''-i)),  j  =  l,...,k. 

To  prove  that  Assertion  D^*"")  holds,  we  need  Assertion  (E.9)^''''\  which  can 
be  proved  exactly  in  the  same  way  as  in  the  previous  case  in  which  |q^'°  i  <  ^ 
for  all  t  =  1,...,^. 

From  (E.9)('"°)  and  (C.3)('"'')  we  have 

=  |(T7<''-^)uAi;°))npou;»({aT<"'-i),...,a7<'°-^)})| 
=  |77<^°-i)npou;*({aI<^°-^),...,Q7<'°-^)})|  +  |At;°)i 
=     |<7"^npoii;*({a'",...,a"^})\(a^)(''')i 

for  each  j  =  1, . . .,  Jfc,  which  proves  that  Assertion  D'*"")  is  satisfied. 

To  complete  the  proof  of  the  Main  Inductive  Lemma,  we  only  need  to  show 
that  in  the  present  case  in  which  loj^*"""^^!  >  p  for  some  jo  6  {1,...,/}, 
Assertion  E^*"")  is  satisfied. 

As  regards  (E. !)('"''),  it  is  enough  to  observe  that  {dom(/(''»~^))} 
D{dom{f^/;^):  j  =  l,...,k}  and  {ranffe(/(">-^))}  Uirangeifi]"^):  j  = 
l,...,ifc}  are  both  families  of  pairwise  disjoint  sets,  and  that  p^''~^\ 
/n°\  •  •  • '  fr[°^  are  all  1-1  functions. 

Concerning  (E.2)(''o),  it  suffices  to  notice  that  domif^]"^)  =  aI^^  Q  tJ''''^ 

for  aU  ;■  =  1,. . .,  Jfc.  Moreover,  as  fiy\^^r,'''^]  C  a^' ,  Assertion  (E.3)(ro)  foUows 
at  once. 

Next,  let  TT  be  a  place  of  4>  such  that  |7r(''o)|  <  p.  Then  IaI'"^!  <  p,  which 
easily  implies  A^  ^  C  dom{f^''°^).  Therefore  by  inductive  hypothesis  (E.4)('"''~^) 
we  obtain  (E.4)('"<'). 

Concerning  (E.5)('"°\  let  tt  be  a  trapped  place.  If  tt  is  not  a  target  of 
the  P-node  A,  then  Tt^'o)  =  Tt^*""-^)  and  the  inductive  hypothesis  (E.S)^'"''"^) 
imphes  (E.5)(ro).    On  the  other  hand,  if  tt  is  a  target  of  the  P-node  A,  then 
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TjK'o)  =  ^'o-i)ua1.'"''\  with  TJ^'o-i)  C  cfom(/(">-i))  (cf.  (E.S)''"-!))  and  aL'"^  C 
dom(/i''°^)  C  (ior72(/(''<')).  Therefore,  tj^*"")  C  dom(/('"<')),  so  that  the  injectivity 
of /(--o)  combined  with  (E.3)''''')  gives  Itj^*"")!  <  |a'|,  which  proves  (E.S)^'"''). 

As  regards  (E.6)^''°\  let  a  and  (3  be  any  two  distinct  places  of<p.  By  inductive 
hypothesis,  o^'")  n  ^'°^  =  (q<^°-i)  fl  aJ""^)  U  (^'""'^  n  aL'"^),  so  that  in  order 

to  prove  that  o^'")  n  ^'"^  =  0,  it  is  enough  to  show  that  ^^'o-i)  n  A^*""^  =  0, 
for  any  two  distinct  places  7  and  S.  Suppose  by  contradiction  that  there  exists 
u  e  yf"--!)  n  aJ"'^    Then,  by  (C.Sj^'"),  u  G  pow*{{a^''-'^\. .  .,0^^0-1)})^ 

which  by  (E.9.b)('"°"^'  implies  that  A^'^^Mt^'""-^)  =  0.  But  this  contradicts  our 

assimaption  t^'""^)  n  A^'"^  /  0,  and  consequently  proves  Assertion  (E.6)(''°). 

Finally,  concerning  Assertions  (E.?)^''''^  and  (E.S)*'"',  we  notice  that  the 
proofs  given  in  the  analysis  of  the  preceding  case  in  which  loj^*"""^)]  <  p  for  all 
i  —  !,...,(  can  be  repeated  word  for  word  in  the  present  case  too.  Also,  we 
already  observed  that  the  same  is  true  for  Assertion  (£.9)''°^. 

This  completes  the  analysis  of  the  inductive  step  in  the  case  in  which 
lo^'o-i)!  >  p  for  some  jo  G  {1,...,/},  thereby  concluding  the  proof  of  the 
Main  Inductive  Lemma.  • 

The  following  section  will  show  that  the  sequence  of  calls  Ci,  C2,  . . .,  in  K 
is  finite  and  that  in  fact  the  computation  K  terminates. 

5     TERMINATION  PROOF 

Again,  we  denote  by  A"  an  execution  of  the  I.V.A.A.  and  by  Ci,  C2,  C3, . . .  the 
sequence  of  calls  to  the  procedure  Distribute  arranged  in  the  order  in  which 
they  occur  during  the  computation  K.  Also,  we  use  the  notation  Tr^''\  A^'  , 
/('^  Assertion  X'""^  with  the  same  meaning  as  in  the  preceding  sections. 

In  this  section  we  prove  the  following  lemma,  which  has  been  already  stated 
in  Section  3. 

LEMMA  3.15  (Termination)  The  number  of  calls  Ci,  C2,  C3, . . .  in  the  com- 
putation K  15  bounded  by  [p  -  2)(n  -  1)2"-^  ^  3  .  2"-i  -  2,  where  n  =  |n|,  and 
p  is  the  constant  which  appears  in  condition  (C4)  of  Theorem  3.1.  Moreover, 
when  the  last  call  to  the  procedure  Distribute  is  made,  ail  places  x  €  11  are 
blocked. 

Proof.  We  begin  by  establishing  an  upper  bound  on  the  nimaber  of  caiUs 
Ci,C2,C3,...  made  during  the  computation  K.    Let  A  =  {ai,...a^}  be  a 
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nonempty  P-node,  and  let  C,j ,  C^j,  Cr,, . . .  ,  with  1  <  rj  <  r2  <  rs  <  . . .,  be 
the  subsequence  of  Ci,  C2,  C3, . . .  consisting  of  all  the  calls  Distnbute{ai, . . .,  q/) 
made  from  the  Propagation  Phase  and  such  that  |a7^'"-'~^'|  <  p,  for  all  i  = 
1,...,^  and  ;'  =  1,2,3, It  follows  by  (B.2)('"^)  that  for  each  ;  =  1,2,3,.., 

whereas  U/3er(^)^''^'"^^  2  POu;*({aT<'j+>-i), . . .,  q^'^+>-i)}).   Therefore,  we 

deduce  that  U-=i«7^''"^^  C  \JLi'^^'^'~'^\  3  =  1,2,3,...  .  But  |  Uf^j  q7<''-i)| 
>  I  and  I  [fi-i  qT^''"^'!  <  {p-  l)i.  Hence,  if  we  denote  by  N{A)  the  nimiber  of 
all  the  calls  C^^ ,  Distribute{ai , . . . ,  a^),  made  from  the  Propagation  Phase  and 
such  that  loT^''"^']  <  p  for  all  i  =  1, . .  .,^,  we  have 


Easy  calculations  prove 


N{A)<{p-2)\A\  +  l. 


E    ^(^) 


n  —  1 


(2"-i-l)  +  (p-2)^ 
(/j-2)(n-  1)2"-' +  2"-^  -  1 


.=1    \     ' 


Furthermore,  it  is  easy  to  see  that  the  empty  node  is  processed  just  once, 
eind  that  by  Lemma  3.13(b)-(c)  each  nonempty  P-node  can  be  processed  at 
most  two  times  more  by  procedure  Distribute.  Therefore,  the  sequence  of  calls 
C*!,  (^2,  C3, . . .  in  K  is  finite  cind  if  we  denote  by  (  its  length  the  following 
inequality  holds 

^<{p-  2)(n  -  1)2"-'  +  3  •  2"-^  -  2, 

proving  the  first  half  of  the  Termination  Lemma. 

Next  we  will  prove  the  slightly  stronger  fact  that  the  computation  K  nec- 
essarily terminates,  i.e.  reaches  a  point  in  which  every  place  is  blocked.  This 
will  be  established  by  first  proving  that  if  this  is  false,  the  set     [J    (cr'  \  /[tt]) 

ir€n 

A|»|<>i 

must  be  nonempty,  and  then  obtaining  a  contradiction  from  this  fact. 

Remark.  As  in  Section  4,  for  simplicity  we  wLU  often  write  tt  in  place  of  W^^\ 
for  aU  TT  £  n,  and  /  in  place  of  /(^\  where  ^  is  the  length  of  the  sequence  of 
calls  Ci,C2,C3,.. .  in  K.  • 
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Suppose  therefore  that  K  does  not  tenninate,  i.e.  that  after  the  last  call  Q 
to  the  procedure  Distribute,  K  will  remain  permanently  in  a  state  S  in  which 
there  are  unblocked  places.  It  is  easy  to  see  by  examining  the  I.V.A.A.  code 
that  this  implies  that  the  foUowing  two  statements  must  be  true. 

(S.l)  Let  i?o  be  the  minimum  unblocked  place  in  state  E.  Then  (the  blocking 
phase  never  makes  any  additional  node  blocked,  i.e.)  either 

(5.1.1)  i?o  is  trapped  and  |^|  7^  la"*"!;  or 

(5.1.2)  i9o  is  nontrapped,  |r9^|  >  p  and  for  some  P-node  {qi  , . . . ,  Q|}  having 
t?o  among  its  targets,  and  such  that  lojl  <  /J  for  all  j  =  1, ...,/,  we 
have 

bou;*({Qr, . .  .57})  n  ^1  #  |pcm;*(K', . .  .,a°'})  n  a^°|; 


or 


(S.l. 3)  i?o  is  nontrapped  and  \i3o\  <  p- 

(S.2)  (No  call  to  Distribute  is  made  on  behalf  of  any  unblocked  node,  i.e.)  for 
every  unblocked  P-node  {ai,...,aj,  either 

(5.2.1)  a_,„  =  0,  for  some  Jo  6  {!,..., ^};  or 

(5.2.2)  0<  lojl  </),  forallj  =  1,...,/,  and 

pow'{{ai,...,al})C  [j  7- 

76T({ai,...,aJ) 

To  begin  with,  we  establish  the  following  lemma. 

LEMMA  5.1  Assume  that  the  foregoing  statements  (S.l)  and  (S.2)  holds,  and 
let  A  =  {Qi,...,a/}  be  a  P-node  such  that  \ai\  <  p,  for  alli  =  l,...,L  Then 

pow*{au...,at)C{    [j     p)ndoTn{f). 

Proof.  In  view  of  Assertion  (E.7),  it  is  enough  to  show  that  pow*{a^,  ..., 
q7)  C  U/3er(>i)^-  I^the  P-node  {ai,...,Qj  is  blocked,  let  Cro  be  the  last  caU 
Distribute{ai,.  ..,ai).  Then 

pow*{{a^,...,al}) 
=    pcm;'({aT<'»-^\...,aZ<'°-^)}) 

C      u    ^"'^    u    ^• 

0eT{A)  0eT{A) 
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On  the  other  hand,  if  the  P-node  is  imblocked,  our  conclusion  follows  from 
statement  (S.2),  and  in  any  case  the  lemma  holds.  • 

Next  we  prove  the  following  lemma,  from  which  it  will  by  easy  to  deduce 
that     U    (cr'\/[^])/0. 

A|»|<P 

LEMMA  5.2  The  hypothesis  that  statements  (S.l)  and  (S.2)  hold  implies  that 
in  state  S  there  is  some  place  f  of  <p  such  that 

lYl  <  min{p,  \<t'^\). 

Proof.  We  distinguish  three  cases,  according  to  whether  (S.1.1),  or  (S.l. 2),  or 
(S.1.3)  holds.  _ 

Case:  (S.l.l)  holds.  Suppose  that  t?o  is  a  trapped  place  and  that  |t?o|  7^  l<''''°l- 
Therefore  it  follows  from  Assertion  (E.5)  that  |i?ol  <  W'^" ,  <  P,  which  clearly 
yields  |i?o|  <  rnin[p,  \cr'^°\). 

Case:  (S.l. 2)  holds.  Next  assimie  that  i?o  is  nontrapped  but  for  some  P-node 
{ai, . . .,  a/}  having  i?o  as  a  target,  and  such  that  |a7|  <  />  for  jdl  t  =  1, . . .,/, 
we  have 

\pow\{cr,,...,ai))f\M  i-  |pou;'({a'^S...,c7<*'})n<T''°|. 

The  preceding  lemma  implies  that  pau;*({a7, . .  .,07})  C  dom{f).  But  Lem- 
mas 2.7  and  5.1  yield 

f\pow*{{a^,...,cri})nlo\ 
=    pou.-({/[ar],...,/[a7]})n/[^] 
C    pou>*({cr°^...,«7°'})^a''^ 

Therefore,  by  the  injectivity  of  /, 

\pow*i{cn,...,ai})nTo\  <  \pow*{{<7''\...,a'''})  n  a^'\. 

Next  we  show  that 

pow%{f[a^],...J[a2]})nf[To]=pow'{{f[cn],...J[a2]})n<r'>\ 

Let  t  e  pow'({f[o^],...,f[ai]})na^''  =  flpow*{{a^,. .  .,ai})]  Ha^".  Then 
by  Assertion  (E.8),  t  =  /(u),  for  some  u  £  pow*{{cr[, . .  .,q7})  H  i?o»  which  in 
particular  proves  t  =  f{u)  G  /[t?o]-  Thus 

pou;*({/[ar], . . . ,  f[al]})  n  a''"  C  pow*{{f[a^], . . . ,  f[ai]})  n  f[M 
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The  converse  inclusion  is  an  immediate  consequence  of  Assertion  (E.3),  and 
therefore  the  equality  follows. 
This  in  turn  implies 

bou;*({/[aT],...,/[a7]})ncT''°|<|pou;*({cr<»',...,cT<''})nc7''»|, 

and  thus,  by  Assertion  (E.3),  f[a-]  C  <t°'o,  for  some  jo  €  {1.  •  •  •,0-  Therefore 
|q^|  <  Tnin{p,  \(t°'o\),  proving  our  lemma,  at  least  in  the  case  in  which  (S.1.2) 

holds.  

Case:  (S.1.3)  holds.  Finally  supposje_that  i?o  is  nontrapped  and  that  \^o\  < 
p.  Then  |i^|  <  p  <  k''°|,  yielding  \^o\  <  min{p,\a'^°\)  and  completing  the 
proof  of  the  lemma  in  all  possible  cases.  • 

COROLLARY  5.3   If  statements  (S.l)  and  (S.2)  hold,  then 

U  (^'\/[^])/0 

«€n 

A|«|</> 

Proof.    The  preceding  lemma  implies  that  there  exists  a  place  7  such  that 
I7I  <  min{p,  \cT-<\).  Therefore  0  #  a^  \  /[i]  C     IJ    (<"'  \  f^^-^f  ^"^^  ^^^  corollary 

irjn 

A|«|<<) 

follows. 

Now  we  are  ready  to  show  how  to  derive  a  contradiction  from  the  fact  that 

U      (^'\/[^l)7^0 

•  en 
^ '  To   this  end   let   to    6    c'">  \  /{t^]   be   an   element   of  minimal  rank   in 

U    (<^'\/f]).  where  \W^\  <  p. 

•en 

^^'R-om Lemma  3.6(c)  it  follows  that  to  e  a^'T\pow*{{a°\...,(T''^})Joi  some 
P-node  A  -  {ai, . . .,  a^}  having  ttq  as  a  target. 

There  are  only  three  possibilities:  either  o^  =  0  for  some  io  G  {1,. . .,/}, 
or  0  <  ia7|  <  p  for  all  i  =  1,...,/,  or  a7  7^  0  for  all  z  =  1,...,/  and  |a^|  >  p 
for  some  Jo  €  {L  •  •  • '  '}•  Below  we  will  show  that  all  cases  lead  to  a  contradic- 
tion, thereby  proving  that  at  the  end  of  the  computation  K  all  places  must  be 

blocked. 

Case:  q- =  ^  for  some  to  G  {1,  •  •  -.O-  Since  to  n  <t°-o  ^  0,  for  every  uo  e 
tontr^'o  wehaveranfc(uo)  <  ranfc(to)  anduo  e  cr°'o\/[a~]  C     [J    [a'' \  f[A)-> 

•en 

A|«l<<> 

contradicting  the  minimality  of  ranfc(to)  and  ruling  out  this  first  case. 
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Case:  0  <  |a7|  <  p  for  all  t  =  1,...,A  As  proved  in  Lemma  5.1,  in  this 
case  we  have  pow*{{cr[,  . . .,  57})  C  (U/36r(A)/^)  ^  dom(f)  and  therefore  by 
Lemmas  2.7  and  5.1 

f\pow'{{a^,...al})]=pow'{{f[a^],...J[ai]})Cpow'({cr°\...,<T°^}). 

Thus,  since 

to  e  pow'{{a''\. .  .,  cr°'})  \pou;*({/[ar], . . . ,  f[ai]}) 

it  follows  that  for  some  place  a^^  there  must  exist  an  element  Uq  such  that 

uo  G  tona'^'o  \/[a,o]-  But  then  rank{uo)  <  rank{to)  and  uq  6     [J    {cr'  \  f[W]), 

iren 

A|»|<P 

which  shows  that  the  present  case  is  inconsistent. 

Finally  we  prove  that  even  the  last  case  is  contradictory. 

Case:  Q,  /  0  for  alii  =  1, . . . ,  ^  and  JQij  |  >  p  for  some  jo  £  {1, . . . ,  ^}.  In 
this  case,  statement  (S.2)  yields  that  the  P-node  {aj,. .  .,Q^}  is  marked  either 
visited  or  blocked.  In  any  event,  as  |7f^|  <  p  it  follows  that  the  place  ttq  must 
be  trapped.  Thus  by  Assertion  D  we  have 


|<T"'npou;*({<7"S...,a"'})\^^|  =  |7fnpou;'({QT,...,a7})|. 


where 


^  _  J    0  if  A  is  blocked 

'^     ~  1    {(7°"  U  ...U  a°'}     otherwise 

Since  a^^  n  pou^*{{a°^, .  ..,ct°^})  \ct-*  C  range{f),  whereas  by  Assertion  (E.3) 
to  €  (r'"  r\  pow*{{cr°\. .  .cr"'^})  \  rang€{f),  the  only  possibility  is  that  the  P- 
node  A  is  unblocked  and  to  =  <'■'*'  U  . . .  U  cr°^.  In  particular  some  ai^  G  A  must 
be  unblocked.  Thus  i?o  <  ci)^  and  consequently  rank{a'^°)  <  rank{<7°^)  (cf. 
Definition  3.8). 

If  |t?^|  <  p,  then  Assertion  (E.4)  and  statement  (S.JL)  yield  0  ^  cr*»  \  /[i?^]  C 

U    i'^^  \  /[^])'  ^^'^  therefore  for  every  <i  £  a'^"  \  /[t?o]  we  have 

•en 

Anf|«. 

rank{t^)     <     rank{(j^'>)  <  Tank{a°'^) 

<     rank{(T°'  U  ...lS(r°')  =  rank{to). 

This  contradicts  the  minimality  of  rank{to)  and  rules  out  the  possibility  that 
1^1  <  p. 
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On  the  other  hand,  if  |i?ol  >  P,  by  statement  (S.l)  we  deduce _that  for  some 
P-node  {01  ...,Pk}  having  i9o  among  its  targets,  and  such  that  |/3j|  <  />  for  all 
j  =  1, . .  .,)t,  we  have 

|pou;'({^,...,M)n^l7^|pou;'({a^S...<7^*})n<7''«|. 

This  implies 

pow'{{a'^\. .  .,a'5'})  n  cT-'o  \  f{pow*({Tu  . .  .,Tk])nM  ¥^  <l>^ 
which  by  Assertion  (E.4)  in  turn  gives 

Let  u  e  pow*{{a''\...,c^^})na^o\pow*{{m],..-,f[M)^OT  some  io  € 
{l,...,ib},  una'5'0  C  /[/3,J.  Hence,  for  each  u' e  u  n  a^'o  \ /[^io], 

u'G     U    (^'\/[^]) 
"en 


anc 


<     ranJfc(<T°"  U-.-Uff"')  =  ^o"^(*o), 

contradicting  again  the  minimality  of  rank{to). 

Having  shown  that  a  contradiction  is  derived  even  in  this  last  case,  it  follows 
that  our  initial  assumption  (i.e.  that  there  are  unblocked  places  after  the  last 

czJl  Q)  is  false. 

This  concludes  the  proof  of  the  Termination  Lemma.  • 

Acknowledgments. 

The  author  is  grateful  to  Jacob  T.  Schwartz  for  his  invaluable  assistance, 
and  to  E.  Omodeo  and  A.  Ferro  for  helpful  suggestions  and  discussions. 

The  author  also  acknowledge  partial  support  by  ENl  and  ENID  ATA  within 
the  AXL  project,  by  the  C.N.R.  of  Italy  and  by  the  U.S.  NSF  grant  #  DCR- 
84-01633. 


43 


References 

[Beh]  Behinanii,H.,  Beitrdge  zur  algehrxi  der  logik  insbesondere  zum  entschei- 
dmgsproblem,  Math.  Aunalen  8b,  1922,  pp.  163-220. 

[Blel]  Bledsoe, W.W.,  Splitting  and  reduction  heuristics  in  automatic  theorem 
proving,  Art.  Int.  2,  1971,  pp. 55-77. 

[Ble2]      Bledsoe,W.W.,  Nonresolution  theorem  proving,  Art.  Int.  9,  1977. 

[Ble3]  Bledsoe,W.W.,  The  UT  interactive  prover,  Tech.  Report  ATP-17B, 
Univ.  of  Texas  at  Austin  (1983). 

[Bre]       Breban,M.,  Ph.  D.  Dissertation,  Courant  Inst.,  New  York  Univ.,  1981. 

[BrF]  Breban,  M.,  and  Ferro,A.,  Decision  procedures  for  elementary  sublan- 
guages of  set  theory.  III.  Formulas  involving  a  limited  number  of  oc- 
currences of  the  powerset  and  general  union  operators,  Adv.  in  Appl. 
Math.,  5,  1984. 

[BFOS]  Breban, M.,  Ferro,A.,  Omodeo,E.G.,  and  Schwartz,J.T.,  Decision  pro- 
cedures for  elementary  sublanguages  of  set  theory.  II.  Formulae  in- 
volving restricted  quantifiers  together  with  ordinal,  integer,  map  and 
domain  notions.  Comm.  Pure  Appl.  Math.  XXXTV,  2,  1981. 

[BoM]  Boyer,R.S.  and  Moore,J.S.,  Computational  Logic,  Academic  Press, 
New  York,  1979. 

[Can]  Cantone,D.,  A  decision  procedure  for  a  class  of  unquantified  formulae 
of  set  theory  involving  the  powerset  and  singleton  operators.  Ph.  D. 
Thesis,  Courant  Institute,  New  York  Univ.  (1987). 

[CFMS]  Cantone,D.,  Ferro,A.,  Micale,B.,  cind  Sorace,G.,  Decision  procedures 
for  elementary  sublanguages  of  set  theory.  IV.  Formulae  involving  a 
rank  operator  or  one  occurrence  of  the  set  operator  E(x)  =  {(y)|j/  €  x}, 
Comm.  Pure  Appl.  Math.  XXXVH,  37-77  (1987). 

[CFO]  Cantone,D.,  Ferro,A.,  and  Omodeo,E.G.,  Decision  procedures  for  ele- 
mentary sublanguages  of  set  theory.  VIII.  A  semidecision  procedure 
for  finite  satisfiability  of  unquantified  set-theoretic  formulae,  Comm. 
Pure  Appl.  Math.  XLI  105-120  (1988). 


44 


[CFOS]  Cantone,D.,  Ferro,A.,  Omodeo,E.,  and  Schwartz,J.T.,  Decision  algo- 
rithms for  sovie  fragments  of  analysis  and  related  areas,  Comm.  Pure 
Appl.  Math.  XL  281-300  (1987). 

[CFSl]  Cantone,D.,  Ferro,A.,  and  Schwartz,J.T.,  Decision  procedures  for  ele- 
mentary sublangvages  of  set  theory.  V.  Multilevel  syllogistic  extended 
hy  the  general  union  operator.  Jour.  Comp.  Syst.  Sci.,  34,1  (1987). 

[CFS2]  Cantone,D.,  Ferro,A.,  and  Schwartz,J.T.,  Decision  procedures  for  ele- 
mentary sublanguages  of  set  theory.  VI.  Multilevel  syllogistic  extended 
by  the  powerset  operator.  Comm.  Pure  Appl.  Math.  XXXVIII  549-571 

(1985). 

[CGO]  Cantone,D.,  GheIfo,S.,  cind  Omodeo,E.G.,  The  automation  of  syllo- 
gistic. I.  Syllogistic  normal  forms,  Joum.  Synab.,  Comp.,  to  appear 

(1987). 

[COP]  Cantone,D.,  Omodeo,E.G.,  and  Papoulias,A.,  The  automation  of  syl- 
logistic. II.  An  effective  satisfiability  test,  Jouin.  Symbolic  Comp.,  sub- 
mitted (1987). 

[Con]  Constable, R.L.,  et  al.  Implementing  mathematics  with  the  NUPRL 
proof  development  system,  Prentice  Hall,  Inc.,  Englewood  Cliffs,  New 
Jersey  (1986). 

[Ferl]  Ferro,A.,  Decision  procedures  for  some  classes  of  unquantified  set  the- 
oretic formulae.  Ph.  D.  Dissertation,  Courant  Inst.,  New  York  Univ. 
(1981). 

[Fer2]  Ferro,A.,  A  note  on  the  decidability  of  MLS  extended  by  the  powerset 
operator,  Comm.  Pure  Appl.  Math.,  Vol.  XXXVIII,  1985,  pp. 367-374. 

[FeO]  Ferro,A.,  and  Omodeo,E.,  Decision  procedures  for  elementary  sublan- 
guages of  set  theory.  VII.  Validity  in  set  theory  when  a  choice  operator 
is  present,  Comm.  Pure  Appl.  Math.,  XL,  265-280  (1987). 

[FOSl]  Ferro,A.,  Omodeo,E.,  and  Schwartz,J.T.,  Decision  procedures  for  ele- 
mentary sublanguages  of  set  theory.  I.  Multilevel  syllogistic  and  some 
extensions.  Comm.  Pure  Appl.  Math.  33,  1980. 

[F0S2]  FeiTO,A.,  Omodeo.E.,  and  Schwartz,J.T.,  Decision  procedures  for  ele- 
mentary fragments  of  set  theory.  Fifth  Conf.  on  Automated  Deduction, 
Les  Arcs,  France,  Lect.  Notes  in  Comp.  Sci.  87,  Springer- Verlag. 


45 


[Gogl]  Gogol,D.,  The  V^  -  3  completeness  of  Zermelo-Fraenkel  set  theory, 
Zeitschr.  f.  math.  Logik  und  Gnindlagen  d.  Math.  2,  1978,  pp. 289-290. 

[Gog2]  Gogol, D.,  Sentences  with  three  quantifier  are  decidable,  Fund.  Math. 
Cn,  1979,  pp.1-8. 

[Jec]        Jech,T.,  Set  Theory,  Academic  Press,  New  York,  1978. 

[KeW]  Ketonen,J.,  Weening, J.,  EKL  -  an  interactive  proof  checker,  Users' 
Ref.  Manual,  40  pp,  Stanford  Univ.,  1983. 

[LuO]  Lusk,E.L.,  and  Overbeek,R.A.,  The  automated  reasoning  system  ITP, 
ANL-8427,  Argonne  Natl.  Lab.  (April  1984). 

[NeO]  Nelson, C.G.,  Oppen,D.C.,  Simplifier  based  on  Efficient  Decision  Algo- 
rithms, Fifth,  Ann.  Symp.  on  Principles  of  Programming  Languages 
(1978)  141-150. 

[Omo]  Omodeo,E.G.,  Decidability  and  proof  procedures  for  set  theory,  Ph.D. 
Thesis,  Courant  Inst.,  New  York  Univ.,  1984. 

[PaP]  Parlamento,F.,  Policriti,A.,  Decision  procedures  for  elementary  sub- 
languages of  set  theory.  IX.  Undecidability  of  set  theoretic  formulas 
involving  restricted  quantifiers,  Comm.  Pure  App.  Math.  XLI  221-251 
(1988). 

[Pas]  Pastre,D.,  Automatic  Theorem  Proving  in  Set  Theory,  Art.  Int.  10 
(1978)  1-27. 

[Schl]  Schwartz,  J. T.,  Instantiation  and  decision  procedures  for  certain  classes 
of  quantified  set  theoretical  formulae.  Inst,  for  Comp.  Appl.  in  Science 
and  Engineering,  NASA  Langley  Research  Center,  Hcimpton,  VA,  Re- 
port #  7810,  1978. 

[Sch2]  Schwcirtz,J.T.,  A  survey  of  program  proof  technology,  New  York  Univ., 
Comp.  Sci.  Dept.,  Report  #  1,  September  1978. 

[Sla]  Slagle,J.R.,  Automatic  Theorem  Proving  with  Built-in  Theories  Includ- 
ing Equality,  Partial  Ordering  and  Sets.  J.  ACM  19  (1972)  120-135. 

[Tho]  Thompson,D.H.,  ed.,  AFFIRM  reference  manual,  USC  Information 
Sciences  Institute,  1979. 


46 


fVil]        Vil]e,F.,  Decidabilite  des  formvles  existentielles  en  theorie  des  ensem- 
bles, C.R.  Acad  Sci.,  Paris,  t.  272    Serie  A,  1971,  pp.  513-519. 

[Wey]      Weyhraudi,R.W.,  FOL:  a  proof  checker  for  first-order  logic,  Stanford 
Artificial  Intelligence  Lab.  Memo  AIM-253.1  (1977). 


47 


NYU  COMPSCI  TR-373      c.2 

Cantone,  D 

Decision  procedures  for 

elementary  sublanguages  of 

set  theory.  X. 


NYU  COMPSCI  TR-373      c.2- 

Cantone,  D 

Decision  procedures  for 

elementary  sublanguages  of^ 

set  theory.  X. 


J 


This  book  may  be  kept 

FOURT,ittKl  10/688 


A  fine  will  he 

charged  for  each 

d.'.y  the  hnok  is  1 

ept  overtime. 

GAVLORD    142 

^HINTED   IN    U    i    * 

